A Theory of Secure and Efficient Implementation of Electronic Money

Buldas, Ahto; Draheim, Dirk; Saarepera, Märt

doi:10.1007/s42979-023-02232-y

A Theory of Secure and Efficient Implementation of Electronic Money

Original Research
Open access
Published: 08 November 2023

Volume 4, article number 861, (2023)
Cite this article

Download PDF

You have full access to this open access article

SN Computer Science Aims and scope Submit manuscript

A Theory of Secure and Efficient Implementation of Electronic Money

Download PDF

753 Accesses
1 Altmetric
Explore all metrics

Abstract

Scalable and secure implementation of central bank digital currencies (CBDC) has been a challenge. Blockchains provide high operator-independent security and enable central banks to outsource CBDC operations while retaining control over the amount of circulating money. Scalability of blockchain depends on the possibility of decomposing the blockchain. We study how the choice of money scheme: accounts, bills, or unspent transaction outputs (UTXOs) influences the existence of secure and decomposable blockchain implementations of CBDC. We give formal definitions to money schemes, their decompositions, atomic decompositions inspired from the properties of blockchain implementations. For our formalism, we use tools from universal algebra and category theory. We present a general decomposition theory and conditions under which money schemes have atomic decompositions. Bill money schemes meet these conditions but account and UTXO schemes do not. Bill schemes enable scalable and secure implementations of CBDC while the more traditional schemes have some issues.

Secure and Efficient Implementation of Electronic Money

Blockchain of Cryptocurrency Using a Proof-of-Work-Based Consensus Algorithm with an SHA-256 Hash Algorithm to Make Secure Payments

A proposal for a layer-2 CBDC on a rollup

Article Open access 06 July 2024

Use our pre-submission checklist

Avoid common mistakes on your manuscript.

Introduction

During the last years, central banks have discussed possible use of central bank digital currencies (CBDC)—electronic cash. Besides the financial and economic factors also the scalability and security of technical implementations of CBDC have been studied. Blockchain technology provides a high level of security independent of the technical infrastructure and enables central banks to outsource most of the CBDC operations to the private sector while still having full control over the total amount of CBDC in circulation. The security measures may depend on whether the blockchain solution is public (permissionless) or private (permissioned). Private blockchains are less costly but their security needs somewhat more care as some type of insider attacks have to be considered.

Scalability has been the biggest technical concern of using blockchain-based CBDC. Nation-wide deployment of electronic cash requires service rates of ten to hundred thousands transactions per second while blockchain money solutions like Bitcoin only offer the rate of few dozen transactions per second. The key of filling the scalability gap is the possibility of decomposing (sharding) the blockchain. The efficiency of decomposition highly depends on the need for inter-component communication. For example, whenever two accounts are in different components, paying from one account to another requires two simultaneous operations in both components: debiting one account and crediting the other. This is technically challenging as it requires solving the atomic commit problem (often called “two generals problem"), which has no deterministic time solutions if possible message loss is considered. On the other hand, if we imagine a single coin or bill given by one person to another, the only parameter that changes is the ownership of the coin/bill. Such operation is atomic by definition. Hence, if an electronic money solution uses coins and bills to represent money and is sharded so that some coins and bills belong to one shard and others to another shard, then every single coin payment is uni shard and does not require inter shard communication.

In this paper, we present a general decomposition theory of money schemes and its implications about how the possibility of efficient sharding depends on the choice of the money scheme (accounts, coins, etc.). The theory explains why blockchain-based implementations of account-based and UTXO-based money schemes cannot be efficiently sharded, while bill based money schemes have efficient and secure sharding mechanisms. For our formalism, we use universal algebra and category theory as essential tools, because this provides us with the appropriate level of abstraction to find, prove and apply results on decomposability and indecomposability of e-money and payment systems.

This work also focuses on the security of sharded blockchain implementations of the bill money scheme considering that the blockchain is used in a permissioned and controlled scenario by the central bank. However, we consider the possibility that the central bank can outsource most of the service machinery to the private sector. The security of the solution is based on special types of lightweight user-initiated audit protocols that are executed during every payment. The goal of the audit procedure is to verify that each particular bill is properly used, i.e., all the ledger rules are fulfilled. We study two types of audit protocols:

1.
Full audit—if successful, guarantees that the ledger rules are followed
2.
Probabilistic audit—guarantees that any deviation from ledger rules will be detected very soon. The motivation behind probabilistic audit is that the communication complexity of the audit protocol is reduced.

The existence of communication-efficient probabilistic protocols seems to depend on the chosen money scheme and the blockchain certification scheme. We show that such protocols exist in the KSI-Cash CBDC solution [1] that is based on the bill money scheme, i.e. simulates the use of physical cash. It remains an open question if efficient probabilistic audit protocols exist for other money schemes.

In “Related work”, we provide a discussion of related work. In “Money schemes” and “Descriptional complexity of payments”, we explain money schemes and the decomposability of payments. We formalize the implementation and decomposition of money schemes and investigate their blockchain implementations in “Implementations of money schemes and Blockchain implementations”. In “Atomic decomposition of money schemes”, we formalize atomic decompositions—a class of decompositions that takes into account the aspects of blockchain implementations. We show that the bill scheme has atomic decompositions and the account and UTXO schemes do not. In “Unitwise decompositions of money schemes”, we study a special kind of decompositions called unitwise decompositions and give necessary and sufficient conditions for money schemes that guarantee the existence of atomic unitwise decompositions. In “Security of blockchain implementations, Rules of a bill ledger and User side full audit”, we discuss diverse security aspects of blockchain implementations. In “KSI-cash bill ledger and User side probabilistic audit in KSI-cash”, we describe KSI-Cash and its user side probabilistic audit. We finish the paper with a discussion in “Discussion” and a conclusion in “Conclusions”.

Related Work

Central Bank Digital Currencies

RSCoin [2] is an example of a sharded central bank digital currency. RSCoin is based on a blockchain as ledger and its architecture is centered around so called mintettes (which are shards in usual database terminology) and a trusted central component. Each mintette is responsible for a range of public client addresses. Together, the mintettes create consensus on valid blocks, which are then certified by the central component. The necessary communication between the mintettes is achieved indirectly via the wallets running a two-phase-commit protocol. Here, each wallet decides individually based on incoming majority votes.

The Hamilton Project [3] by the Federal Reserve Bank of Boston and the Massachusetts Institute of Technology Digital Currency Initiative is a concept study on the implementation of central bank digital currency. The study investigates two architectures. The first is the so called atomizer architecture, which is a blockchain solution that relies on sharded transaction verification. The architecture is based on the UTXO scheme. The central component of the architecture is called atomizer. The atomizer collects verified payments from the shards and creates the blocks, which introduces a significant bottleneck to the system. Next, the study compares the atomizer solution with the so-called 2PC architecture (2-phase-commit architecture), which represents established (i.e., non-blockchain) transaction system technologies found in today’s banking.

The crucial difference between RSCoin and the Hamilton project on the one hand and KSI Cash on the other hand is in the utilized money schemes. Both RSCoin and the Hamilton are based on the UTXO scheme, whereas KSI Cash is based on the bill money scheme. RSCoin and the Hamilton project need to deal with the severe issue of cross-shard transactions, whereas KSI Cash can instead deal with the comparatively moderate issue of increasing amounts of smaller money denominations [1].

An industrial-proven CDBC solution that is based on the bill scheme is G+D Filia provided by [4]. G+D Filia allows for offline consecutive payments and comes with a concept of money distribution as public-private partnership between central banks and commercial banks as intermediaries. In the context of this paper, G+D Filia is relevant because it is based on a bill money scheme, called value-based approach by [4]: “G+D Filia takes a value-based approach. Accordingly, monetary value is represented by a piece of data, a so-called value note. Payment is done by transferring this piece of data from one person to another, mirroring cash payments, which are carried out by transferring physical banknotes or coins from person A to person B " [4].

None of the related studies discussed in “Central bank digital currencies” aims at contributing to the theoretical understanding (and analysis) of payment systems as our paper.

Relevant Blockchain Technologies

Two recent surveys on sharding in blockchains are provided by [5] and [6]. Together, [5] and [6] investigate a total of 15 technologies, which are based on established e-money schemes (or do not specify an e-money scheme) as follows:

UTXO model: Elastico [7], SSChain [8], OmniLedger [9, 10], RapidChain [11, 12], Ostraka [13], and Stegos [14]
account model: Ethereum blockchains (including Ethereum [15], Ethereum 2.0 [16], and Ethereum upgrades^{Footnote 1}), Monoxide [17], ZILLIQA [18], Harmony [19], and Logos (Table 2.2. in [20])
object-based money scheme: Chainspace [21]
money scheme not specified: ZyConChain [22], and [23]

None of the sharded blockchain technologies surveyed by [5] and [6] are based on a bill scheme. We have found one blockchain technology in the literature, i.e., CoinCash [24], however, CoinCash is not a sharded blockchain technology, instead, it is a Bitcoin sidechain [25] that aims at enhancing privacy by adding an overlay of transaction anonymization [26].

None of the related studies discussed in “Relevant blockchain technologies” aims at contributing to the theoretical understanding (and analysis) of payment systems as our paper.

The Extended UTXO Model

In [27], the Extended UTXO (EUTXO) model has been suggested that aims at allowing for a more expressive smart contract language (similar to Ethereum, which is based on an account money scheme) while keeping the semantic model as close as possible to the UTXO model and, therefore, as simple as possible (as compared to the semantic model of the account money scheme, which is considered more complex by [27]). “To maintain the machine state [the EUTXO model extends] UTXO outputs from being a pair of a validator $\nu $ and a cryptocurrency value to being a triple ($\nu $,value,$\delta $) of validator, value, and a datum $\delta $, where $\delta $ contains arbitrary contract-specific data” [27]. Then, [27] formally describes the EUTXO model in “a straightforward set-theoretic form, which (1) admits an almost direct translation into languages like Haskell for implementation, and (2) is easily amenable to mechanical formalisation” [27]. The work [27] results in a powerful semantic model, that is fully formalised with the Agda^{Footnote 2} proof assistant. The objective of [27] (increasing smart contract expressiveness plus achieving semantic simplicity) is different from the objective of this paper (theoretical foundation of payment systems to enable the analysis of payment system decomposition).

Formal Models of Blockchain Technology

In [28], the EUTXO model [27] (see “The extended UTXO model”) is made subject of further investigation. On the basis of this, [28] provides a set of recursive type equations specifying an Idealized EUTXO [28, 29] money scheme. The model of these type equations form a category IETUxO. Furthermore, [28] provides a novel perspective on blockchains in terms of partitions called chunks which “display resource separation properties reminiscent of known systems such as separation logic [30]” [28] and “communicate across channels (much like the $\pi $-calculus [31])” [28]. Reference [28] formalizes the concept of chunks as abstract chunk systems in terms of a set of testable algebraic properties. Again, abstract chunk systems form a category ACS. Finally, [28] is able to construct functors between the categories IETUxO and ACS that “exhibit a cycle of categorical embeddings between them” [28]. This way, [28] achieves a rich collection of algebraic properties [32,33,34,35] of UTXO-based blockchains that can be exploited in future formal reasoning about blockchain systems.

In [36], the theory of resources of [37] is utilized to achieve a basic category-theoretical model of cryptocurrency systems. First, [36] gives a precise semantics of a version of string diagrams that have been augmented by concepts for modeling resource ownership (compare with [38]). Then, they show the applicability of these augmented string diagrams to ledger structures. With his work, [36] is able to show “how the resource theoretic interpretation of monoidal categories, and in particular their string diagrams [39], captures the sort of material history that concerns ledger structures for blockchain systems” [36].

The work presented in this paper is different from [28, 36] in regard of the following aspects: We formalize not only one of the established e-money schemes (UTXO scheme, account scheme), but incorporate the novel bill scheme into our theory; and we utilize our formalization to yield a series of results on the decomposability of the several e-money schemes, that are needed in informed design decisions in designing sharded blockchain technology. The bill scheme is particularly important, as our investigation shows that the bill scheme allows for the design of an ultra-scalable blockchain technology via sharding.

In [40], category theory is utilized to improve the language design and implementation of the blockchain smart contract language Simplicity. While [40] provides another useful example of leveraging category theory to advance the practice of information systems, and blockchain technology in particular, their objective (semantics and pragmatics of a smart contract language) is different from the objective of this paper (theoretical foundation of payment systems to enable the analysis of payment system decomposition).

Money Schemes

A money scheme [41, 42] describes the representational aspects of money and payments. There are different money schemes in practical use—account schemes, bill schemes, UTXO schemes, etc. In this section, we present a formal approach to characterize different money schemes.

Money Distributions

Money can be represented as a set U of units and a value function $\nu :U \rightarrow \mathbb {N}$ that defines for each unit $u\in U$ its value $\nu (u)\in \mathbb {N}$, where N is the set of natural numbers. The units may be accounts, bills, UTXOs, etc. We assume that there exists an infinite set $\mathscr {U}$ of all potential units, i.e. $U\subset \mathscr {U}$. For describing the ownership of money, a second function $\beta :U \rightarrow \mathscr {B}$ is introduced that assigns for each unit $u\in U$ its owner (bearer) $\beta (u)\in \mathscr {B}$, where $\mathscr {B}$ is the set of all potential bearers.

A triple $M=(U, \nu , \beta )$ is called a money distribution because it describes the units with their values and ownership. We denote by $\mathscr {M}$ the set of all possible money distributions, i.e. $\mathscr {M}$ consists of all triples $(U,\nu ,\beta )$, where U is a finite subset of $\mathscr {U}$ and $\nu :U\rightarrow \mathbb {N}$ and $\beta :U\rightarrow \mathscr {B}$ are any functions.

In such a model, we define the total amount of money in a money distribution $M=(U,\nu ,\beta )$ as $\sigma (M)=\sum _{u\in U}\nu (u)$, and a money owned by a bearer $b\in \mathscr {B}$ by $\sigma (M, b)= \sum _{u\in \beta ^{-1}(b)} \nu (u)$. The ownership function $\sigma (M, \cdot ):\mathscr {B}\rightarrow \mathbb {N}$ represents the account view of the money distribution M. A money distribution M can be represented as a pair $(\mathscr {B}, \sigma (M,\cdot ))$. This is equivalent of hiding the units of the money distribution M from an owner b and showing only the account balance $\sigma (M,b)$.

Money distribution is only a static picture of money and does not distinguish different money schemes. What makes the most important technical difference between money schemes are the payments.

Money Transformations and Payments

Payments are certain type of transformations that change the money distribution, but preserve the total amount $\sigma (M)$ of money. Before defining payments, we define money transformations that do not necessarily preserve $\sigma (M)$.

Definition 1

(Money transformation) A money transformation P is a function $P:\mathscr {M}\rightarrow \mathscr {M}$ defined as a rule on a finite subset $U_P$ of units such that for every $u\in U_p$, it is described how the unit itself and its parameters $\nu (u)$ and $\beta (u)$ are changed by P. For every money distribution $M=(U,\nu ,\beta )$, a money transformation P may:

Delete u, if $u\in U$. If $u\not \in U$, then P cannot be applied to M.
Create u and define $\nu (u)$ and $\beta (u)$, if $u\not \in U$. If $u\in U$, then P cannot be applied to M.
Reduce or rise the value of u by a certain way and/or change the bearer of u, assuming that the value of u cannot become negative. If this would happen or if $u\not \in U$, then P cannot be applied to M.

We assume that if P cannot be applied to M, then $P(M)=M$. Note that P(M) does not depend on units outside $U_P$ nor their parameters.

A money transformation P with $U_P=\emptyset $ is called the identity transformation and is denoted by $1_\mathscr {M}$ or simply 1. The following lemmas (Lemmas 1, 2, 3) are direct corollaries from Definition 1.

Lemma 1

Let P be a money transformation and $M=(U,\nu ,\beta )$ be any money distribution such that $M\ne P(M)$. Let $M'=(U',\nu ', \beta ')$ be a money distribution such that $U\cap U_P=U'\cap U_P$, $\nu (u)=\nu '(u)$, $\beta (u)=\beta '(u)$ for all $u\in U\cap U_P$, i.e. $M'$ differs from M only by the units $u\not \in U_P$ and possibly by their values $\nu (u)$ and $\beta (u)$. Then also $M'\ne P(M')$.

Proof

As the status of the units of $U_P$ in $M'$ is the same as in M, and the rules of P can be applied to M, then P can be applied to $M'$. $\square $

Lemma 2

If $P,P'$ are money transformations and $M\ne P(M)=P'(M)$ for $M\in \mathscr {M}$, then $P=P'$, i.e. $P(M')=P'(M')$ for every $M'\in \mathscr {M}$.

Proof

The assumption $M\ne P(M)=P'(M)$ implies that the rules of both P and $P'$ can be applied to M and they change M in the same way.

If a unit u was deleted in M, then the rules of both P and $P'$ contain the instruction to delete u.
If a unit u was created in M, then the rules of both P and $P'$ contain an instruction to create u with exact same parameters.
If the parameters of a unit u were changed in M, then the rules of both P and $P'$ contain the instruction to change the parameters of u in exact same way.

The rules of P and $P'$ cannot contain more instructions than such changes indicate. Therefore, P and $P'$ are defined by the same rules and hence, they act on every $M'$ in exact same way. $\square $

Lemma 3

For every money transformation $P\ne 1$, there is a money distribution M where $P(M)\ne M$.

Proof

For every $u\in U_P$, if P creates u, choose $M=(U,\nu ,\beta $ in a way that $u\not \in U$; if P deletes u, make sure that $u\in U$. If P reduces $\nu (u)$ by d, make sure that $\nu (u)\ge d$. It is easy to see that a finite U exists that satisfies all these requirements, because $U_P$ is finite. $\square $

Note that the composition $P_1\circ P_2$ of two money transformations $P_1$ and $P_2$ is not always a money transformation. For example, if $P_2$ reduces the value of u by 10, and $P_1$ rises the value of u by 20, then in a money distribution $M_1=(U_1,\nu _1,\beta _1)$ where $u\in U_1$ and $\nu _1(u)=5$, and in another money distribution $M_2=(U_2,\nu _2,\beta _2)$ where $u\in U_2$ and $\nu _2(u)=10$, the unit u is changed differently by $P_1\circ P_2$. Indeed, in $(P_1\circ P_2)(M_1)$ the value of u will be 25 (i.e. raised by 20), but in $(P_1\circ P_2)(M_2)$ the value of u will be 15 (i.e. raised by 10). Therefore, to describe the action of compositions $P_1\circ P_2$ one may need different unit-based rules in money distributions $M_1$ and $M_2$.

Definition 2

(Non-redundant composition) A composition $P_m\circ \cdots \circ P_1$ of money transformations $P_i$ is non-redundant at a money distribution M if $M_{i-1}\ne P_i(M_{i-1})$ for every $i\in \{1,\ldots ,m\}$, where $M_0,M_1,\ldots ,M_m$ are money distributions such that $M_0 = M$ and $M_{j}=P_j(M_{j-1})$ for every $j\in \{1,\ldots ,m\}$.

Definition 3

(Co-product) The co-product $P_1\oplus P_2$ of money transformations $P_1,P_2$ with $U_{P_1}\cap U_{P_2}=\emptyset $ is a money transformation P with $U_P=U_{P_1}\cup U_{P_2}$ and with the rule that if $u\in U_{P_1}$, then the rule of $P_1$ is applied, and if $u\in U_{P_2}$, then the rule of $P_2$ is applied. If any of the rules cannot be applied to a money distribution M, then $(P_1\oplus P_2)(M)=M$.

Hence, it might be that $(P_1\oplus P_2)(M)=M$, but $P_1(M)\ne M$ or $P_2(M)\ne M$. Note also that, if $M\ne (P_1\oplus P_2)(M)$, then $(P_1\oplus P_2)(M)= P_2(P_1(M))$, but in general, this is not true.

Definition 4

(Payment) A payment is a money transformation P that does not change the total amount of money, i.e. $\sigma (P(M))=\sigma (M)$ for every $M\in \mathscr {M}$.

Some examples of payments that act on a money distribution $M=(U,\nu ,\beta )$:

Identity transformation $1_\mathscr {M}$ changes no units.
Account payments change the values $\nu (u)$ and $\nu (v)$ of two units (accounts) $u,v\in U$. The resulting money distribution is $(U', \nu ', \beta ')$, where $U'=U$, $\beta '=\beta $ (no accounts are deleted/created and their owners stay the same), and $\nu '(u)+\nu '(v)= \nu (u)+\nu (v)$, i.e. total amount of money does not change.
Bill payments change only the owner $\beta (u)$ of a unit (bill) u. The resulting money distribution is $(U', \nu ', \beta ')$, where $U'=U$, $\nu '=\nu $ (no units are created/deleted and their values stay the same), but possibly $\beta '(u)\ne \beta (u)$.
UTXO payments delete a set $\{u_1, \ldots , u_m\}$ of units (UTXOs) and create a set $\{v_1, \ldots , v_k\}$ of units so that $\nu (u_1)+ \ldots + \nu (u_m) = \nu '(v_1) + \ldots + \nu '(v_k)$ in the resulting money distribution $(U',\nu ',\beta ')$.

Money Schemes

A money scheme describes which money distributions and which payments are allowed in an application of money.

Definition 5

(Money scheme) A money scheme is a pair $(\mathscr {M}, \mathscr {P})$, where $\mathscr {M}$ is a set of money distributions and $\mathscr {P}$ is a set of payments, such that the next properties hold:

Identity: $1_\mathscr {M}\in \mathscr {P}$.
Accessibility of money: For every $M\in \mathscr {M}$ and $b\in \mathscr {B}$, there is $P\in \overline{\mathscr {P}}$ such that $\sigma (P(M),b)=0$, i.e. bearers can always spend all their money. Here, $\overline{\mathscr {P}}$ denotes the set of all finite compositions $P=P_1\circ \cdots \circ P_m$ of $P_i\in \mathscr {P}$.

In this work, we assume for simplicity that $\mathscr {M}$ is always the set of all money distributions as defined in “Money Distributions”. This simplification is justified because only the payments make difference between money schemes.

A composition $P=P_1\circ P_2$ of payments $P_1,P_2\in \mathscr {P}$ is not necessarily a payment. From practical implementation view-point, payments represent transactions that are initiated by payment orders sent to the money and payment system by its users. If two users send their payment orders $P_1, P_2$ to the system, then the money and payment system does not necessarily accept “composite" payment orders the execution of which is equivalent to applying $P_1\circ P_2$ to the current money distribution. For every $P\in \overline{\mathscr {P}}$, we define a function $\Delta _P:\mathscr {M}\times \mathscr {B}\rightarrow \mathbb {Z}$, so that

$$\begin{aligned} \Delta _P(M,b) = \sigma (M,b) - \sigma (P(M),b), \end{aligned}$$

which shows how the account balance of b is changed by P. If $\Delta _P(M,b)>0$, then b pays money to other bearers, and if $\Delta _P(M,b)<0$, then b receives money via P.

Lemma 4

(Uniformity of amount) If $(\mathscr {M}, \mathscr {P})$ is a money scheme with the bearer set $\mathscr {B}$, $P\in \mathscr {P}$, $M,M'\in \mathscr {M}$, $b\in \mathscr {B}$, $P(M)\ne M$, and $P(M')\ne M'$, then

$$\begin{aligned} \Delta _P(M',b)= \Delta _P(M,b). \end{aligned}$$

Proof

Direct implication from the description of payments via actions on all potential units $u\in \mathscr {U}$ (Definition 1, Definition 4). If P can be applied to both money distributions M and $M'$, then P changes them in exactly the same way. $\square $

Definition 6

(Subscheme) A money scheme $(\mathscr {M}, \mathscr {P})$ is a subscheme of a money scheme $(\mathscr {M}, \mathscr {P}')$, if $\mathscr {P}\subseteq \mathscr {P}'$.

Categorization of Money Schemes by Invariance

In this subsection, we present a full list of types of money schemes $(\mathscr {M}, \mathscr {P})$, based on the invariance of components U, $\nu $, and $\beta $ of money distributions under the payments $P\in \mathscr {P}$ of the money scheme. From a purely combinatorial viewpoint, there are eight classes of schemes as presented in Table 1:

1.
If all three parameters U, $\nu $, and $\beta $ are invariant, then the payments do not change the money distribution, which means that money does not flow, and hence, this class of schemes is not interesting.
2.
There exist no schemes, in which only U changes, because, by changing the domain of functions $\nu $ and $\beta $ also means changing $\nu $ and $\beta $ as functions.

So, only five of these eight types are of practical interest:

1.
Schemes in which only the bearer function $\beta $ changes, i.e., bill schemes.
2.
Schemes in which only the value function $\nu $ changes, i.e., account schemes.
3.
Schemes in which only $\beta $ and $\nu $ change, one example of which is the extended account scheme, where in addition to ordinary account transfers, the owners of accounts may also change.
4.
Schemes in which all parameters may change, i.e., the hybrid schemes, an example of which is the UTXO scheme.

Table 1 Map of money schemes

Full size table

For having a closer view on how money schemes can be constructed, especially the hybrid schemes, we will study in “Descriptional complexity of payments” the algebraic structure of payments, i.e. how more complex payments can be constructed from simpler ones.

Descriptional Complexity of Payments

In this section, we describe and categorise all possible types of payments and show how payments can be algebraically decomposed to irreducible payments.

As every payment P is a money transformation, it is represented as a rule on a finite subset $U_P\subset \mathscr {U}$ of units, that is a non-intersecting union $U_P=U^-_P\cup U^+_P\cup U^0_P$ of the next subsets:

$U^-_P$: the set of units that P deletes.
$U^+_P$: the set of units that P creates.
$U^0_P$: the set of units u the parameters $\nu (u), \beta (u)$ of which are changed by P.

The descriptional complexity $\Vert P\Vert $ of P is the sum of the sizes of $U^-_P, U^+_P, U^0_P$, i.e. $\Vert P\Vert = \Vert U^-_P\Vert +\Vert U^+_P\Vert +\Vert U^0_P\Vert $. The input complexity $\Vert P\Vert _\textsf{in}$ of P is the sum of the sizes of $U^-_P, U^0_P$, i.e. $\Vert P\Vert _\textsf{in} = \Vert U^-_P\Vert +\Vert U^0_P\Vert $. For $P=1_\mathscr {M}$, we have $\Vert P\Vert = \Vert P\Vert _\textsf{in} = 0$, and vice versa, if $\Vert P\Vert = 0$ for a payment P, then $U^-_P = U^+_P = U^0_P = \emptyset $, which means that P does not create/delete units nor changes the parameters of any units which means that $P=1_\mathscr {M}$. In the following, we present three more examples of the complexities of payments:

Single bill transfer: A payment P that changes the bearer of a single unit u and does nothing else. In this case, $\Vert P\Vert = \Vert P\Vert _\textsf{in} = 1$.
Account payment: A payment P that changes the values $n_1, n_2$ of two units $u_1$ and $u_2$ to $n'_1, n'_2$ so that $n'_1 + n'_2 = n_1 + n_2$. In this case, $\Vert P\Vert = \Vert P\Vert _\textsf{in} = 2$.
UTXO payment: A payment P that deletes units $u_1, \ldots , u_k$ with values $n_1, \ldots , n_k$ and creates units $u'_1, \ldots , u'_\ell $ with values $n'_1, \ldots , n'_\ell $ so that $n'_1 + \cdots + n'_\ell = n_1 + \cdots + n_k$. In this case, $\Vert P\Vert = k+\ell $ and $\Vert P\Vert _\textsf{in} = k$.

Definition 7

(Composition-irreducible payments) A payment P is reducible at a money distribution $M\in \mathscr {M}$ if $M\ne P(M)$ and there exists a non-redundant at M composition $P_m\circ \cdots \circ P_1$ of payments with $\Vert P_i\Vert <\Vert P\Vert $ for all $i\in \{1,\ldots ,m\}$ such that

$$\begin{aligned} P(M) = (P_m\circ \cdots \circ P_1)(M). \end{aligned}$$

A payment P is composition-irreducible if no such composition exists for P at any money distribution M.

Theorem 1

The next payments P with $\Vert P\Vert \le 2$ are composition-irreducible:

Zero creation—creates a unit with value 0, i.e. $\Vert P\Vert = 1$ and $\Vert P\Vert _\textsf{in} = 0$.
Zero deletion—deletes a unit with value 0, i.e. $\Vert P\Vert = 1$ and $\Vert P\Vert _\textsf{in} = 1$.
Single unit transfer—changes the bearer of one unit, i.e. $\Vert P\Vert = \Vert P\Vert _\textsf{in} = 1$.
Transfer with recreation—deletes a unit u (with a non-zero value) and creates a new unit v with the same value, i.e. $\Vert P\Vert = 2$ and $\Vert P\Vert _\textsf{in} = 1$.
Two unit split—creates a new unit v (with non-zero value) and changes the parameters of another unit u (reduces the value by $\nu (v)$, and possibly, changes the bearer), i.e. $\Vert P\Vert = 2$ and $\Vert P\Vert _\textsf{in} = 1$.
Two unit join—deletes a unit u (with non-zero value) and changes the parameters of another unit v (raises the value $\nu (v)$ by $\nu (u)$, and possibly, changes the bearer $\beta (v)$), i.e. $\Vert P\Vert = \Vert P\Vert _\textsf{in} = 2$.
Two-unit swap—changes the values and possibly bearers of two units u, v, i.e. $\Vert P\Vert = \Vert P\Vert _\textsf{in} = 2$.

Proof

First, we categorize all payments P with $\Vert P\Vert = 1$. They are all composition-irreducible as the only payment with complexity 0 is the identity transformation 1. Let $M\in \mathscr {M}$ be a money distribution such that $M\ne P(M)$, which exists due to Lemma 3. There are three possibilities:

$\Vert U^-_P\Vert = 1$, $\Vert U^+_P\Vert = \Vert U^0_P\Vert = 0$: This means that P just deletes a unit u and does nothing else. As P preserves total money, the value of u must be zero. Hence, P is a zero-deletion.
$\Vert U^+_P\Vert = 1$, $\Vert U^-_P\Vert = \Vert U^0_P\Vert = 0$: This means that P just creates a unit u and does nothing else. As P preserves total money, the value of u must be zero. Hence, P is a zero-creation.
$\Vert U^0_P\Vert = 1$, $\Vert U^+_P\Vert = \Vert U^-_P\Vert = 0$: This means that P does not create/delete units but changes the parameters of a single unit u. As P preserves total money, it cannot change the value of u. Hence, P is a single-unit transfer.

Secondly, we categorize all payments P with $\Vert P\Vert = 2$. There are the following possibilities:

$\Vert U^0_P\Vert = 0$, $\Vert U^-_P\Vert = \Vert U^+_P\Vert = 1$: This means that P deletes a unit u and creates another unit v. As P preserves total money, u and v have the same value. The value must be non-zero, because otherwise P acts on M as a composition of a zero-deletion and a zero-creation. Hence, P is a transfer with recreation. Obviously, P is composition-irreducible, because the creation and deletion operations are not payments.
$\Vert U^-_P\Vert = 0$, $\Vert U^+_P\Vert = \Vert U^0_P\Vert = 1$: This means that P creates a unit and changes the parameters of another unit. The created unit must have non-zero value, because otherwise P acts on M as a composition of a zero creation and a single unit transfer. Hence, P is a two unit split and is composition-irreducible because the creation of a unit and changing the value of a unit are not payments.
$\Vert U^+_P\Vert = 0$, $\Vert U^-_P\Vert = \Vert U^0_P\Vert = 1$: This means that P deletes a unit and changes the parameters of another unit. The deleted unit must have non-zero value, because otherwise P acts as a composition of a zero deletion and a single unit transfer. Hence, P is a two unit join.
$\Vert U^0_P\Vert = 2$, $\Vert U^-_P\Vert = \Vert U^+_P\Vert = 0$: This means that P changes the parameters of two units. We have two sub-cases:
- If P changes the values of the units, then P is a two-unit swap.
- If P does not change the values of the units but only their bearers, then P acts on M as a composition of two single-unit transfers and is not composition-irreducible.
$\Vert U^-_P\Vert = 2$, $\Vert U^0_P\Vert = \Vert U^+_P\Vert = 0$: This means that P deletes two units and does nothing else. In this case, P acts on M as a composition of two zero-deletions and is not composition-irreducible.
$\Vert U^+_P\Vert = 2$, $\Vert U^0_P\Vert = \Vert U^-_P\Vert = 0$: This means that P creates two units and does nothing else. In this case, P acts on M as a composition of two zero-creations and is not composition-irreducible.

$\square $

Corollary 2

Every payment P with $\Vert P_i\Vert \le 2$ acts on any money distribution M either as 1, a composition-irreducible payment, or a composition $P_2\circ P_1$ of two composition-irreducible payments $P_1,P_2$ with $\Vert P_1\Vert =\Vert P_2\Vert =1$.

We will show next that every payment P acts on every money distribution M as a non-redundant at M composition of payments $P_i$ with $\Vert P_i\Vert \le 2$, and hence, these seven payment types listed by Theorem 1 are the only existing composition-irreducible payments.

Definition 8

(Value-invariant compositions) A finite composition P of payments is value-invariant at a money distribution M if when applied to M it does not create or delete units u with the value $\nu (u)>0$, neither it changes the value of any unit.

It is easy to see that for every composition of payments P that is value-invariant at M, there are payments $P_1, \ldots , P_m$ all being either zero-creations, zero-deletions, or single-unit transfers, such that $P(M)=(P_m\circ \cdots \circ P_1)(M)$ is a composition that is non-redundant at M.

Theorem 3

For every finite composition P of payments and for every money distribution M such that $M\ne P(M)$ there exists a composition $P_m\circ \cdots \circ P_1$ of payments $P_i$ with $\Vert P_i\Vert \le 2$ that is non-redundant at M such that $P(M) = (P_m\circ \cdots \circ P_1)(M)$.

Proof

Let P be any composition of payments and M be a money distribution such that $M\ne P(M)$. We use induction on the number n of units the value of which is changed by P. If $n=0$, then P is value-invariant at M and the statement of the theorem follows from the observation that P is a non-redundant composition of zero-creations, zero-deletions, and single-unit transfers, and the descriptional complexity of all these three types of payments is 1.

Assume that $n>0$ and the statement of the theorem holds for smaller values of n. Hence, P is not value-invariant at M, and u is a unit the value of which is changed by the amount $d>0$. We also take into account the cases where u is created or deleted by P. We choose u in a way that d is minimal. Because of the money invariant and the minimality of d, there must be a unit v the value of which is changed (by P) by the amount of $d'\ge d$ but to the opposite direction compared to u.

Let $P_1$ be a payment that only changes the values of u and v by d and to the same direction as P. For example, if P creates u and reduces the value of v by $d'$, then $P_1$ also creates u but reduces the value of v only by d. The descriptional complexity of $P_1$ is $\Vert P_1\Vert \le 2$. Note also that the composition $P\circ P_1^{-1}$ of payments changes the value of a less number of units in $M'=P_1(M)$ compared to how many values P changes on M as $P\circ P_1^{-1}$ does not change the value of u. If $P_1(M)=(P\circ P_1^{-1})(P_1(M))$, then

$$\begin{aligned} P(M)=(P\circ P_1^{-1}\circ P_1)(M) = (P\circ P_1^{-1})(P_1(M)) = P_1(M), \end{aligned}$$

and the statement holds. If $P_1(M)\ne (P\circ P_1^{-1})(P_1(M))$ then we can apply the induction step, i.e. there is a non-redundant (at $P_1(M)$) composition $P_{m}\circ \cdots \circ P_2$ of payments with descriptional complexity $\Vert P_i\Vert \le 2$, such that

$$\begin{aligned} (P_{m}\circ \cdots \circ P_2)(P_1(M)) = (P_m\circ \cdots \circ P_1)(M) \end{aligned}$$

and as $M\ne P_1(M)$, the composition $P_m\circ \cdots \circ P_1$ is non-redundant at M. $\square $

Corollary 4

For every payment P and for every $M\in \mathscr {M}$ there exist composition-irreducible payments $P_1, \ldots , P_m$ such that

$$\begin{aligned} P(M) = (P_m\circ \cdots \circ P_1)(M). \end{aligned}$$

Proof

Direct implication from Theorem 1, Corollary 2, and Theorem 3. $\square $

Implementations of Money Schemes

Money schemes are special cases of transition systems. Every transition system is a pair (S, T), where S is the set of states and T is a set of state transitions (functions of type $S\rightarrow S$) that contains the identity transition $1_S$ (sometimes denoted simply by 1) defined by $1_S(s)=s$ for every $s\in S$. Transition systems are equivalent to state machines and in this paper we refer to them simply as machines. This is motivated by modelling machine-implementations of money schemes. For any transition system (S, T), we denote by $\overline{T}$ the set of all finite compositions $t_1\circ \cdots \circ t_m$, where $t_i\in T$.

Definition 9

(Implementation) A transition system (S, T) implements a money scheme $(\mathscr {M}, \mathscr {P})$ if (Fig. 1):

1.
There is a surjective interpretation map $\pi :S\rightarrow \mathscr {M}$, i.e. every state s of the machine is interpreted as a money distribution $M=\pi (s)$ (Fig. 1, left).
2.
For every payment $P\in \mathscr {P}$ and every state $s\in S$ interpreted as a money distribution $M\in \mathscr {M}$ (i.e. $\pi (s)=M$) there is a transition $t\in T$ such that the state $s'=t(s)$ is interpreted as the money distribution P(M), i.e. $\pi (s')=\pi (t(s)) = P(\pi (s)) = P(M)$ (Fig. 1, right).

A decomposition of a money scheme is an implementation of the money scheme with two machines, formally defined as follows:

Definition 10

(Decomposition) Transition systems $(S_1,T_1),(S_2,T_2)$ decompose a money scheme $(\mathscr {M}, \mathscr {P})$ if (Fig. 2):

1.
There is a surjective interpretation map $\pi :S_1\times S_2\rightarrow \mathscr {M}$, i.e. every pair of states $s_1\in S_1, s_2\in S_2$ of the machines is interpreted as a money distribution $M=\pi (s_1,s_2)$ (Fig. 2, left).
2.
For every $P\in \mathscr {P}$ and every pair of states $s_1\in S_1, s_2\in S_2$ interpreted as a money distribution $\pi (s_1,s_2)=M\in \mathscr {M}$ there exist $t_1\in T_1, t_2\in T_2$ such that the pair of states $s'_1=t_1(s_1), s'_2 = t_2(s_2)$ is interpreted as the money distribution P(M), i.e. (Fig. 2, right)
$$\begin{aligned} \pi (s'_1,s'_2)=\pi (t_1(s_1),t_2(s_2)) = P(\pi (s_1,s_2)) = P(M). \end{aligned}$$

Decomposition of a money scheme can also be defined as an implementation of the money scheme by the direct product of the machines $(S_1,T_1),(S_2,T_2)$, which is defined as a machine (S, T), where $S=S_1\times S_2$ and $T=T_1\times T_2$ and for every $t=(t_1,t_2)\in T_1\times T_2$ and $s=(s_1,s_2)$ the new state $s'=t(s)$ is defined by $t(s) = (t_1(s_1), t_2(s_2))$.

From a more general viewpoint, all transition systems with identity transformations (machines) are objects of a category, in which the morphisms are defined as partial implementations (Definition 11).

Definition 11

(Partial implementation) A partial implementation of a machine $M_2=(S_2,T_2)$ by a machine $M_1=(S_1,T_1)$ is a function $f:S_1\rightarrow S_2$ such that for every $s_1\in S_1$ and every $t_2\in T_2$, there is $t_1\in T_1$ such that $f(t_1(s_1)) = t_2(f(s_1))$.

As the identity map $1_S:S\rightarrow S$ is a partial implementation of $M=(S,T)$ by itself and the composition of two partial implementations is a partial implementation, we have a category structure. One can also show that the epimorphisms of this category are exactly the surjective partial implementations and the monomorphisms are exactly the injective partial implementations. The implementations in terms of Definition 9 (i.e. the interpretation maps $\pi $) are exactly the epimorphisms from machines to money schemes. However, the direct product of two machines is not always a product in terms of the category (see Appendix B for details).

Blockchain Implementations

By an evolution of a transition system (S, T) is a sequence

$$\begin{aligned} (s_0, \tau _0; (t_1,\tau _1), (t_2,\tau _2), \ldots , (t_m, \tau _m)), \end{aligned}$$

where $s_0\in S$ is the initial state, $t_1,t_2, \ldots , t_m\in T$ are transitions, and $\tau _0<\tau _1<\tau _2< \cdots < \tau _m$ are real numbers interpreted as timestamps. The final state $s'$ of the evolution is defined by $s'=t_m(t_{m-1}(\ldots t_1(s_0) \ldots ))$. Intuitively, evolution is a description of the execution of the transition system in time.

For security-critical transition systems such as money schemes it is vital to store the evolution and protect its integrity with cryptography. Therefore, certificates $C_0,C_1, C_2, \ldots , C_m$ to the evolution, so that the certified evolution

$$\begin{aligned} (s_0, \tau _0, C_0;\,\, (t_1,\tau _1, C_1), (t_2,\tau _2,C_2), \ldots , (t_m, \tau _m, C_m)) \end{aligned}$$

cannot be maliciously modified without making it cryptographically inconsistent. The certificates also prove the uniqueness of the certified evolution, i.e. it must convince the verifiers that there exist no alternative versions of the evolution.

What is also important for the verifiers is whether they see the whole evolution that includes all transition that have been executed so far, i.e. if verification happens at time $\tau $, then also the fact that no transitions happened in between $\tau _m$ and $\tau $. This suggests a certification scheme, where transitions of the evolution are certified in batches (blocks) in a pre-determined time schedule and the certified evolution being in the form:

$$\begin{aligned} (s_0,\tau _0,C_0; (B_1,\tau _1, C_1), (B_2,\tau _2,C_2), \ldots , (B_m, \tau _m, C_m)) \end{aligned}$$

(1)

where every block $B_i$ represents a composition $t^1_i\circ \cdots \circ t^{m_i}_i$ of transitions. Note that some blocks $B_i$ may be empty and in this case, they represent the identity transition $1_S$. Certified data structures in the form of (1) are called blockchains.

Blockchain implementation of a transition system (S, T) is a network of machines called a blockchain node that consists of three machines (Fig. 3):

File repository—stores certified blocks and, on request, provides applications with blockchain data.
Certifier—regularly (based on clock) creates block certificates based on a cryptographic hash of the block.
Transaction validator—receives transition orders from applications, verifies them using the current state $s\in S$, combines transactions to blocks, obtains certificates from the certifier, and sends certified blocks to the file repository.

A blockchain implementation of a composed money scheme with two transition systems $(S_1,T_1)$ and $(S_2, T_2)$ is a network of machines called a sharded blockchain node (Fig. 4). It has two independent transaction validators that implement $(S_1,T_1)$ and $(S_2, T_2)$ and produce sub-blocks $B^1$ and $B^2$, respectively. It also has two file repositories, and a common certifier for both blocks. The blockchain produced by the first transaction validator is in the form:

$$\begin{aligned} (s^1_0,\tau _0,\Pi ^1_0,C_0; (B^1_1,\tau _1, \Pi ^1_1,C_1), (B^1_2,\tau _2, \Pi ^1_2,C_2), \ldots , (B^1_m, \tau _m, \Pi ^1_m,C_m)) , \end{aligned}$$

where $\Pi ^1_i$ denotes additional information (usually in the form of a hash chain) that helps to verify the blockchain against the certificate $C_i$. Analogously, the blockchain produced by the second transaction validator is in the form:

$$\begin{aligned} (s^2_0,\tau _0,\Pi ^2_0,C_0; (B^2_1,\tau _1, \Pi ^2_1,C_1), (B^2_2,\tau _2, \Pi ^2_2,C_2), \ldots , (B^2_m, \tau _m, \Pi ^2_m,C_m)) . \end{aligned}$$

For executing a payment P, two transaction orders $t_1, t_2$ has to be sent to the two transaction validators (Fig. 4) and the validators include these transactions to the blocks $B^1$ and $B^2$, respectively.

Atomic Decomposition of Money Schemes

As the blocks have to be produced based on a fixed time schedule, there is a limited time for the validators to decide whether to include $t_1$ and $t_2$ to the blocks $B^1$ and $B^2$. Considering possible message loss and network delays between the transaction validators and applications, it is always possible that only one of the transactions $t_1,t_2$ is received in time (considering the block creation schedule).

It is known that there exist no deterministic time protocols (executed between transaction validators) which ensure that either $t_1\in B^1$ and $t_2\in B^2$, or $t_1\not \in B^1$ and $t_2\not \in B^2$. Such a communication problem is often called the two generals problem. Therefore, it is possible that $t_1\in B^1$ but $t_2\not \in B^2$ and vice versa. In transition system terms, instead of executing $(t_1,t_2)$, either $(t_1,1)$ or $(1,t_2)$ is executed in the implementing machines.

If $(S_1,T_1), (S_2, T_2)$ represent a decomposition of a money scheme $(\mathscr {M}, \mathscr {P})$ and such errors cannot in principle be avoided, we can only ask how the partial transactions $(t_1,1),(1,t_2)$ are interpreted in the money scheme as changes of the money distribution. Do they preserve total money? Are they payments? If yes, are they in $\mathscr {P}$? If the current states are $s_1\in S_1$ and $s_2\in S_2$ and money distribution is $M=\pi (s_1,s_2)$, then $P(M)=\pi (t_1(s_1), t_2(s_2))$. The money distribution after applying the erroneous pair $(t_1,1)$ is $M_1=\pi (t_1(s_1), s_2)$ and after applying $(1,t_2)$, the resulting money distribution is $M_2=\pi (s_1, t_2(s_2))$.

The following definition of atomic decomposition (Definition 12, item 1) requires that there are at least payments $P_1, P_2\in \mathscr {P}$ such that $P_1(M)=M_1$ and $P_2(M)=M_2$. In practical implementations, one may require some more. For example, that $P_1,P_2$ represent partial payments, i.e. if a bearer b pays or receives money via P, then the same happens via $P_1$ and $P_2$ but possibly, the received/paid amount is smaller. We also require that independently acting on $(S_1,T_1), (S_2, T_2)$ with any pair of $t_1\in T_1$, $t_2\in T_2$ is always interpreted as a payment. Item 2 and item 3 of Definition 12 require that if we apply a transition t in just one component and this is interpreted as change the money distribution, then t also will change the money distribution independent of the state of the other component.

Definition 12

(Atomic decomposition) Transition systems $(S_1,T_1), (S_2, T_2)$ together with the interpretation map $\pi $ represent an atomic decomposition of a money scheme $(\mathscr {M}, \mathscr {P})$ iff for every $s_1\in S_1$, $s_2\in S_2$, $M=\pi (s_1,s_2)$, and $t_1\in T_1$, $t_2\in T_2$, there exists $P\in \mathscr {P}$, such that $P(M)=\pi (t_1(s_1),t_2(s_2))$, and for every such P, there exist $P_1,P_2\in \mathscr {P}$ so that:

1.
$P_1(M)=\pi (t_1(s_1), s_2)$ and $P_2(M) =\pi (s_1, t_2(s_2))$.
2.
If $P'_1\in \mathscr {P}$ and $M\ne P'_1(M)=\pi (t_1(s_1),s_2)$, then for every $s''_2\in S_2$:
$$\begin{aligned} \pi (s_1,s''_2)\ne P'_1(\pi (s_1,s''_2))=\pi (t_1(s_1),s''_2). \end{aligned}$$
3.
If $P'_2\in \mathscr {P}$ and $M\ne P'_2(M)=\pi (s_1,t_2(s_2))$, then for every $s''_1\in S_1$:
$$\begin{aligned} \pi (s''_1,s_2)\ne P'_2(\pi (s''_1,s_2))=\pi (s''_1,t_2(s_2)). \end{aligned}$$

If a money scheme $(\mathscr {M}, \mathscr {P})$ is decomposed by transition systems $(S_1,T_1), (S_2, T_2)$ and an interpretation map $\pi :S_1\times S_2\rightarrow \mathscr {M}$, then in general, $(S_1,T_1)$ and $(S_2, T_2)$ do not necessarily represent money schemes. However, if such a decomposition is atomic, we can show that in some sense this is the case. We will show that it is possible to define two functions $\sigma _1:S_1\times \mathscr {B}\rightarrow \mathbb {N}$ and $\sigma _2:S_2\times \mathscr {B}\rightarrow \mathbb {N}$ so that given a bearer $b\in \mathscr {B}$ and states $s_1\in S_1$, $s_2\in S_2$, the values $\sigma _1(s_1,b)$ and $\sigma _2(s_2,b)$ will show how much money b has in $S_1$ and $S_2$, respectively. We also show that for $M=\pi (s_1,s_2)$

$$\begin{aligned} \sigma (M,b) = \sigma _1(s_1,b) + \sigma _2(s_2,b), \end{aligned}$$

i.e. the total money b owns in the money scheme is the sum of money b holds in $s_1$ and the money b holds in $s_2$. Moreover, we show that the values $\sigma _1(s_1) = \sum _{b\in \mathscr {B}}\sigma _1(s_1,b)$ and $\sigma _1(s_2) = \sum _{b\in \mathscr {B}}\sigma _2(s_2,b)$ are invariant under the payments of the money scheme and $\sigma (M) = \sigma _1(s_1) + \sigma _2(s_2)$. This implies, that in an atomically decomposed money scheme there is no transfer of value from one component to another.

We define the money $\sigma _1(s_1,b)$ the bearer b owns in the first system as the largest amount of money b can pay using a sequence of transitions of type $(t_1,1)$, and analogously, the money $\sigma _2(s_2,b)$ the bearer b has in the second system as the largest amount of money b can pay using a sequence of transitions of type $(1, t_2)$.

Definition 13

(Functions $\sigma _1$, $\sigma _2$) For any states $s_1\in S_1$, $s_2\in S_2$, and a bearer $b\in \mathscr {B}$:

$\sigma _1(s_1,b)$ is the largest number $n_1\in \mathbb {N}$ such that there is $t_1\in \overline{T}_1$ such that $\sigma (\pi (s_1,s_2),b) - \sigma (\pi (t_1(s_1),s_2),b) = n_1$.
$\sigma _2(s_2,b)$ is the largest number $n_2\in \mathbb {N}$ such that there is $t_2\in \overline{T}_2$ such that $\sigma (\pi (s_1,s_2),b) - \sigma (\pi (s_1,t_2(s_2)),b) = n_2$.
$\sigma _1(s_1)$ is the sum $\sum _{b\in \mathscr {B}} \sigma _1(s_1,b)$.
$\sigma _2(s_2)$ is the sum $\sum _{b\in \mathscr {B}} \sigma _2(s_2,b)$.

Lemma 5

The value of $\sigma _1(s_1,b)$ does not depend on $s_2$ neither $\sigma _2(s_2,b)$ on $s_1$.

Proof

If $\sigma _1(s_1,b)=0$ for every state $s_2$, then the statement is trivially true. Let $t_1=t^m_1\circ \cdots \circ t^1_1\in \overline{T}_1$ and $s_2$ be a state such that

$$\begin{aligned} \sigma _1(s_1,b)=\sigma (\pi (s_1,s_2),b) - \sigma (\pi (t_1(s_1),s_2),b)\ne 0 \end{aligned}$$

(2)

Let $s^0_1,s^1_1, \ldots , s^m_1\in S_1$ be a sequence of states such that $s^0_1 = s_1$ and $s^{i}_1 = t^i_1(s^{i-1}_1)$ for every $i\in \{1, \ldots , m\}$. Hence, by applying telescoping to (2):

$$\begin{aligned} \sigma _1(s_1,b)= & \, \sum _{i=1}^m (\sigma (\pi (s^{i-1}_1,s_2),b) - \sigma (\pi (t^i_1(s^{i-1}_1),s_2),b)). \end{aligned}$$

We can assume without loss of generality that $\pi (t^i_1(s^{i-1}_1),s_2)\ne \pi (s^{i-1}_1,s_2)$, because otherwise we can just omit such $t^i_1$ from $t_1$. Let $M_{i-1} = \pi (s^{i-1}_1,s_2)$. By atomicity (Definition 12, item 1), there exists $P^i_1\in \mathscr {P}$ such that $M_{i-1}\ne P^i_1(M_{i-1}) = \pi (t^i_1(s^{i-1}_1),s_2)$, and therefore, $\sigma (\pi (s^{i-1}_1,s_2),b) - \sigma (\pi (t^i_1(s^{i-1}_1),s_2),b)=\Delta _{P^i_1}(M_{i-1},b)$. Let $s'_2\in S_2$ be any state and let $M'_{i-1}=\pi (s^{i-1}_1, s'_2)$. By atomicity (Definition 12, item 2), $M'_{i-1}\ne P^i_1(M'_{i-1}) = \pi (t^i_1(s^{i-1}_1),s'_2)$ and hence, by the uniformity of amount (Lemma 4), $\Delta _{P^i_1}(M_{i-1},b) = \Delta _{P^i_1}(M'_{i-1},b) = \sigma (\pi (s^{i-1}_1,s'_2),b) - \sigma (\pi (t^i_1(s^{i-1}_1),s'_2),b)$. Therefore:

$$\begin{aligned} \sigma _1(s_1,b)= & \, \sum _{i=1}^m (\sigma (\pi (s^{i-1}_1,s'_2),b) - \sigma (\pi (t^i_1(s^{i-1}_1),s'_2),b))\\= & \, \sigma (\pi (s_1,s'_2),b) - \sigma (\pi (t_1(s_1),s'_2),b). \end{aligned}$$

The proof for $\sigma _2(s_2,b)$ is similar, by using atomicity (Definition 12, item 3). $\square $

Theorem 5

If $(S_1,T_1)$ and $(S_2,T_2)$ with interpretation map $\pi $ atomically decompose a money scheme $(\mathscr {M}, \mathscr {P})$ with the bearer set $\mathscr {B}$, then for every $s_1\in S_1, s_2\in S_2$, $M=\pi (s_1,s_2)\in \mathscr {M}$ and $b\in \mathscr {B}$:

$$\begin{aligned} \sigma (M,b) = \sigma _1(s_1,b) + \sigma _2(s_2,b). \end{aligned}$$

Proof

Due to the accessibility of money (Definition 5), there is $P=P^m\circ \cdots \circ P^1\in \overline{\mathscr {P}}$ such that $\sigma (P(M), b)=0$. Let $M_0,M_1,\ldots , M_m\in \mathscr {M}$ be a sequence of money distributions such that $M_0=M$, and $M_i=P^i(M_{i-1})$ for every $i\in \{1, \ldots , m\}$. Let $s^0_1,s^1_1, \ldots , s^m_1\in S_1$ and $s^0_2,s^1_2, \ldots , s^m_2\in S_2$ be sequences of states such that $M_i=\pi (s^i_1,s^i_2)$ for every $i\in \{1, \ldots , m\}$. Due to decomposition, there exist $t^i_1\in T_1$ and $t^i_2\in T_2$ such that $s^i_1 = t^i_1(s^{i-1}_2)$ and $s^i_2 = t^i_2(s^{i-1}_2)$. Let $t_1=t^m_1\circ \ldots \circ t^1_1\in \overline{T}_1$ and $t_2=t^m_2\circ \ldots \circ t^1_2\in \overline{T}_2$. Therefore, $P(M)=P(\pi (s_1,s_2))=\pi (t_1(s_1),t_2(s_2))$. Hence, by Lemma 5:

$$\begin{aligned} \sigma (M,b)= & \, \sigma (M,b) - \sigma (P(M),b) = \sigma (\pi (s_1,s_2),b) - \sigma (\pi (t_1(s_1), t_2(s_2)),b)\\= & \, \sigma (\pi (s_1,s_2),b) - \sigma (\pi (t_1(s_1),s_2),b) + \\{} & \, + \;\sigma (\pi (t_1(s_1),s_2),b) - \sigma (\pi (t_1(s_1),t_2(s_2)),b)\\\le & \, \sigma _1(s_1,b) + \sigma _2(s_2,b). \end{aligned}$$

To prove the dual inequality, choose $t_1=t^{m_1}_1\circ \ldots \circ t^1_1\in \overline{T}_1$ and $t_2=t^{m_2}_2\circ \ldots \circ t^1_2 \in \overline{T}_2$ so that

$$\begin{aligned} \sigma _1(s_1,t)= & \, \sigma (\pi (s_1,s_2),b) - \sigma (\pi (t_1(s_1),s_2),b)\\ \sigma _2(s_2,t)= & \, \sigma (\pi (t_1(s_1),s_2),b) - \sigma (\pi (t_1(s_1),t_2(s_2)),b), \end{aligned}$$

where in the second equation, we use Lemma 5. Let $s^0_1,s^1_1, \ldots , s^{m_1}_1\in S_1$ be a sequence of states such that $s^0_1 = s_1$ and $s^i_1 = t^i_1(s^{i-1}_1)$, for every $i\in \{1,\ldots ,m_1\}$; and let $s^0_2,s^1_2, \ldots , s^{m_2}_2\in S_2$ be a sequence of states such that $s^0_2 = s_2$ and $s^j_2 = t^j_2(s^{j-1}_2)$, for every $j\in \{1,\ldots ,m_2\}$. Due to atomicity (Definition 12, item 1), for every $i\in \{1,\ldots , m_1\}$, there exists $P^i_1\in \mathscr {P}$ such that $P^i_1(\pi (s^{i-1}_1, s_2)) = \pi (s^i_1, s_2)$; and for every $j\in \{1,\ldots , m_2\}$, there exists $P^j_2\in \mathscr {P}$ such that $P^j_2(\pi (t_1(s_1), s^{j-1}_2)) = \pi (t_1(s_1), s^j_2)$. Hence, $P=P^{m_2}\circ \ldots \circ P^1_2\circ P^{m_1}_1\circ \ldots \circ P^{1}_1\in \mathscr {P}$ satisfies $P(M) = P(\pi (s_1,s_2)) = \pi (t_1(s_1),t_2(s_2))$. Therefore:

$$\begin{aligned} \sigma _1(s_1,b) + \sigma _2(s_2,b)= & \, \sigma (\pi (s_1,s_2),b) - \sigma (\pi (t_1(s_1),t_2(s_2)),b)\\= & \, \sigma (M,b) - \sigma (P(M),b) = \Delta _{P}(M,b)\\\le & \, \sigma (M,b). \end{aligned}$$

$\square $

Theorem 6

If $(S_1,T_1)$, $(S_2,T_2)$ with interpretation map $\pi $ atomically decompose a money scheme $(\mathscr {M}, \mathscr {P})$ with the bearer set $\mathscr {B}$, then $\sigma (M) = \sigma _1(s_1) + \sigma _2(s_2)$ for $M=\pi (s_1,s_2)$, and $\sigma _1(s_1)$ and $\sigma _1(s_2)$ are invariant under any $P\in \mathscr {P}$.

Proof

The first claim directly follows from Theorem 5:

$$\begin{aligned} \sigma (M) = \sum _{b\in \mathscr {B}} \sigma (M,b) = \sum _{b\in \mathscr {B}} (\sigma _1(s_1,b) + \sigma _2(s_2,b)) = \sum _{b\in \mathscr {B}} \sigma _1(s_1,b) + \sum _{b\in \mathscr {B}} \sigma _2(s_2,b). \end{aligned}$$

(3)

Let $s_1\in S_1$, $s_2\in S_2$, $t_1\in T_1$ and $t_2\in T_2$. By atomicity (Definition 12, item 1), there exists $P_1\in \mathscr {P}$ such that $P_1(M)=\pi (t_1(s_1), s_2)$. Hence,

$$\begin{aligned} \sigma (P_1(M)) = \sum _{b\in \mathscr {B}} \sigma _1(t_1(s_1),b) + \sum _{b\in \mathscr {B}} \sigma _2(s_2,b) \end{aligned}$$

(4)

and as $\sigma (P_1(M))=\sigma (M)$, we conclude by combining (3) and (4) that

$$\begin{aligned} \sum _{b\in \mathscr {B}} \sigma _1(t_1(s_1),b) = \sum _{b\in \mathscr {B}} \sigma _1(s_1,b). \end{aligned}$$

(5)

If $P\in \mathscr {P}$ is any payment, then by atomicity (Definition 12), there exist $t_1\in T_1$ and $t_2\in T_2$ such that $P(M)=\pi (t_1(s_1),t_2(s_2))$. Hence, in the pair $(t_1(s_1),t_2(s_2))$ of states interpreted as P(M), the value of $\sigma _1$ is $\sigma _1(t_1(s_1))=\sum _{b\in \mathscr {B}} \sigma _1(t_1(s_1),b) = \sum _{b\in \mathscr {B}} \sigma _1(s_1,b) = \sigma _1(s_1)$. The invariance of $\sigma _2(s_2)$ is proved analogously. $\square $

For example, Theorem 6 implies that there exist no atomic decompositions of the full account scheme that allows payments between any two accounts such that $(S_1,T_1)$ handles one subset of accounts and $(S_2,T_2)$ handles other accounts, because there is no possibility to pay from an account handled by $(S_1,T_1)$ to an account handled by $(S_2,T_2)$. Otherwise, the values $\sigma _1(s_1)$ and $\sigma _2(s_2)$ would change. In “Unitwise Decompositions of Money Schemes”, we take a more general approach to such unitwise decompositions of any money scheme.

Unitwise Decompositions of Money Schemes

In this section, we study a special type of decompositions of money schemes, where the unit set is divided into two subsets that are handled by two separate machines. In “Notations and definition, we give a formal definition for such decompositions, derive some theoretical results in “Theoretical results about unitwise decompositions”, and draw some conclusions in “Theoretical results about unitwise decompositions”.

Notations and Definition

Let the universe $\mathscr {U}$ of potential units be split into two non-intersecting subsets $\mathscr {U}_1$ and $\mathscr {U}_2$. We assume that $\mathscr {U}_1$, $\mathscr {U}_2$ are infinite. For a money distribution $M=(U,\nu ,\beta )$ let $M|_{\mathscr {U}_1}$ and $M|_{\mathscr {U}_2}$ be money distributions such that:

$$\begin{aligned} M|_{\mathscr {U}_1}= & \, (U\cap \mathscr {U}_1,\nu |_{\mathscr {U}_1}, \beta |_{\mathscr {U}_1})\\ M|_{\mathscr {U}_2}= & \, (U\cap \mathscr {U}_2,\nu |_{\mathscr {U}_2}, \beta |_{\mathscr {U}_2}) , \end{aligned}$$

where by $\nu |_{\mathscr {U}_1}$ is the restriction of $\nu $ to $\mathscr {U}_1$, i.e. a function $\nu |_{\mathscr {U}_1}:U\cap \mathscr {U}_1\rightarrow \mathbb {N}$ so that $\nu |_{\mathscr {U}_1}(u) = \nu (u)$ for every $u\in U\cap \mathscr {U}_1$. For any money distributions $M_1 = \{U_1,\nu _1,\beta _1\}$ with $U_1\subset \mathscr {U}_1$ and $M_2 = \{U_2,\nu _2,\beta _2\}$ with $U_2\subset \mathscr {U}_2$ we define a money distribution $M_1\oplus M_2$ as follows:

$$\begin{aligned} M_1\oplus M_2 = (U_1\cup U_2, \nu _1\cup \nu _2, \beta _1\cup \beta _2), \end{aligned}$$

where $\nu =\nu _1\cup \nu _2$ is a function such that $\nu (u) = \nu _1(u)$ if $u\in \mathscr {U}_1$ and $\nu (u)=\nu _2(u)$ otherwise. The function $\beta =\beta _1\cup \beta _2$ is defined similarly. Note that

$$\begin{aligned} M = M|_{\mathscr {U}_1}{} & \, \oplus \, M|_{\mathscr {U}_2}\end{aligned}$$

(6)

$$\begin{aligned} M_1 = (M_1 \oplus M_2)|_{\mathscr {U}_1}, \quad{} & \, \quad M_2 = (M_1 \oplus M_2)|_{\mathscr {U}_2} \end{aligned}$$

(7)

for any money distributions $M, M_1, M_2$. For any set $\mathscr {M}$ of money distributions, we define subsets $\mathscr {M}|_{\mathscr {U}_1}$ and $\mathscr {M}|_{\mathscr {U}_2}$ as follows:

$$\begin{aligned} \mathscr {M}|_{\mathscr {U}_1}= & \, \{M|_{\mathscr {U}_1}:M\in \mathscr {M}\}\\ \mathscr {M}|_{\mathscr {U}_2}= & \, \{M|_{\mathscr {U}_2}:M\in \mathscr {M}\} \end{aligned}$$

For every money transformation P on $\mathscr {M}$, we define money transformations $P|_{\mathscr {U}_1}$ on $\mathscr {M}|_{\mathscr {U}_1}$ and $P|_{\mathscr {U}_2}$ on $\mathscr {M}|_{\mathscr {U}_2}$ as follows:

$P|_{\mathscr {U}_1}$ acts on the units of $\mathscr {U}_1$ in the same way as P, except that it does nothing with the units of $\mathscr {U}_2$.
$P|_{\mathscr {U}_2}$ acts on the units of $\mathscr {U}_2$ in the same way as P, except that it does nothing with the units of $\mathscr {U}_1$.

It is easy to see that for every money distribution M and for every money transformation P such that $M\ne P(M)$:

$$\begin{aligned} P(M) = P|_{\mathscr {U}_1}(M|_{\mathscr {U}_1}) \oplus P|_{\mathscr {U}_2}(M|_{\mathscr {U}_2}) \end{aligned}$$

(8)

Note that $P=P|_{\mathscr {U}_1}\oplus P|_{\mathscr {U}_2}$ for every money transformation P.

Definition 14

If transition systems $(S_1,T_1), (S_2,T_2)$ with interpretation map $\pi $ decompose a money scheme $(\mathscr {M}, \mathscr {P})$, then we say that such a decomposition is unitwise decomposition relative to $\mathscr {U}_1$ and $\mathscr {U}_2$ if

Every $s_1=(U_1,\nu _1, \beta _1)\in S_1$ is a money distribution, where $U_1\subset \mathscr {U}_1$ and every $t_1\in T_1$ is a money transformation on $S_1$.
Every $s_2=(U_2, \nu _2, \beta _2)\in S_2$ is a money distribution, where $U_2\subset \mathscr {U}_2$ and every $t_2\in T_2$ is a money transformation on $S_2$.
$\pi (s_1,s_2)=s_1\oplus s_1=(U_1\cup U_2, \nu _1\cup \nu _2, \beta _1\cup \beta _2)$ for every $s_1=(U_1,\nu _1, \beta _1)\in S_1$ and $s_2=(U_2, \nu _2, \beta _2)\in S_2$. The map $\pi $ is surjective because of (6).

Theoretical Results about Unitwise Decompositions

First, it turns out (Theorem 7) that every money scheme has a canonical unitwise decomposition relative to any $\mathscr {U}_1, \mathscr {U}_2$. We call such a decomposition the natural decomposition. Therefore, the existence of decompositions tells nothing special about a money scheme. A more interesting question is when the natural decomposition is atomic in terms of Definition 12. Theorem 8 gives necessary and sufficient conditions for that in terms of the structure of the money scheme.

Sometimes in practical implementations it might be sufficient that a money scheme $(\mathscr {M}, \mathscr {P})$ is just a sub-scheme of a money scheme $(\mathscr {M}, \mathscr {P}')$ the natural decomposition of which is atomic. Theorem 9 gives necessary and sufficient conditions for that in terms of the algebraic structure of the payments $P\in \mathscr {P}$—their representations via composition-irreducible payments.

Theorem 7

For every money scheme $(\mathscr {M}, \mathscr {P})$, there exists a unitwise decomposition (called the natural decomposition) relative to $\mathscr {U}_1$ and $\mathscr {U}_2$.

Proof

Let $S_1 = \mathscr {M}|_{\mathscr {U}_1}$, $S_2 = \mathscr {M}|_{\mathscr {U}_2}$, $T_1=\{P|_{\mathscr {U}_1}:P\in \mathscr {P}\}$, $T_2=\{P|_{\mathscr {U}_2}:P\in \mathscr {P}\}$, and $\pi $ be defined as in Definition 14. Note that if $P\in P$, then $P|_{\mathscr {U}_1}$ and $P|_{\mathscr {U}_2}$ are money transformations, but not necessarily payments. This is indeed a decomposition in terms of Definition 10, because:

1.
If $s_1=M|_{\mathscr {U}_1}\in S_1$ and $s_2=M'|_{\mathscr {U}_2}\in S_2$ with $M,M'\in \mathscr {M}$, then $\pi (s_1,s_2)=s_1\oplus s_2$ is a money distribution, and hence, item 1 of Definition 10 is satisfied.
2.
Let $P\in \mathscr {P}$, $s_1=(U_1,\nu _1, \beta _1)\in S_1$, $s_2=(U_2, \nu _2, \beta _2)\in S_2$, and $M=\pi (s_1,s_2)$. If $M\ne P(M)$, then let $t_1=P|_{\mathscr {U}_1}$ and $t_2=P|_{\mathscr {U}_2}$. Therefore, by applying (8) and (7):
$$\begin{aligned} P(M)= & \, P|_{\mathscr {U}_1}(M|_{\mathscr {U}_1}) \oplus P|_{\mathscr {U}_2}(M|_{\mathscr {U}_2})\\= & \, P|_{\mathscr {U}_1}((s_1\oplus s_2)|_{\mathscr {U}_1}) \oplus P|_{\mathscr {U}_2}((s_1\oplus s_2)|_{\mathscr {U}_2})\\= & \, \pi (t_1(s_1),t_2(s_2)) \end{aligned}$$
If $M=P(M)$, then for $t_1=t_2=1$:
$$\begin{aligned} P(M) = M = \pi (s_1,s_2)=\pi (t_1(s_1),t_2(s_2)), \end{aligned}$$
and hence, item 2 of Definition 10 is satisfied.

$\square $

Theorem 8

The natural decomposition of a money scheme $(\mathscr {M}, \mathscr {P})$ relative to $\mathscr {U}_1$ and $\mathscr {U}_2$ is atomic, if and only if $P'|_{\mathscr {U}_1}\oplus P''|_{\mathscr {U}_2}\in \mathscr {P}$ for every $P',P''\in \mathscr {P}$.

Proof

First, we show the if-part, i.e. assume that $P'|_{\mathscr {U}_1}\oplus P''|_{\mathscr {U}_2}\in \mathscr {P}$ for every $P',P''\in \mathscr {P}$, and prove that the natural decomposition is atomic in terms of Definition 12.

Let $s_1=M'|_{\mathscr {U}_1}\in S_1=\mathscr {M}|_{\mathscr {U}_1}$, $s_2=M''|_{\mathscr {U}_2}\in S_2 = \mathscr {M}|_{\mathscr {U}_2}$ with $M',M''\in \mathscr {M}$, be any states, $M=\pi (s_1,s_2)=s_1\oplus s_2$, and $t_1=P'|_{\mathscr {U}_1}\in T_1$, $t_2=P''|_{\mathscr {U}_2}\in T_2$ be any transitions. Then $P=P'|_{\mathscr {U}_1}\oplus P''|_{\mathscr {U}_2}\in \mathscr {P}$.
- If $M\ne P(M)$, then:
  $$\begin{aligned} P(M)= & \, P|_{\mathscr {U}_1}(M|_{\mathscr {U}_1}) \oplus P|_{\mathscr {U}_2}(M|_{\mathscr {U}_2}) = P|_{\mathscr {U}_1}(M'|_{\mathscr {U}_1}) \oplus P|_{\mathscr {U}_2}(M''|_{\mathscr {U}_2})\\= & \, \pi (t_1(s_1),t_2(s_2)). \end{aligned}$$
- If $M=P(M)$, then also $t_1(s_1)=P'|_{\mathscr {U}_1}(M'|_{\mathscr {U}_1})=M'|_{\mathscr {U}_1}=s_1$, and $t_2(s_2)=P''|_{\mathscr {U}_2}(M''|_{\mathscr {U}_2})=M''|_{\mathscr {U}_2}=s_2$. Therefore
  $$\begin{aligned} P(M) = M = \pi (s_1, s_2) = \pi (t_1(s_1),t_2(s_2)). \end{aligned}$$
If $P\in \mathscr {P}$ is a payment such that $P(M)=\pi (t_1(s_1), t_2(s_2))$, then by assumption $P_1=P'|_{\mathscr {U}_1}\oplus 1, P_2=1\oplus P''|_{\mathscr {U}_2}\in \mathscr {P}$.
- If $M\ne P_1(M)$, then:
  $$\begin{aligned} P_1(M)= & \, P_1|_{\mathscr {U}_1}(M|_{\mathscr {U}_1}) \oplus P_1|_{\mathscr {U}_2}(M|_{\mathscr {U}_2}) = \pi (P'|_{\mathscr {U}_1}(M'|_{\mathscr {U}_1}), M''|_{\mathscr {U}_2})\\= & \, \pi (t_1(s_1),s_2) \end{aligned}$$
- If $M=P_1(M)$, then also $t_1(s_1)=P'|_{\mathscr {U}_1}(M'|_{\mathscr {U}_1})=M'|_{\mathscr {U}_1}=s_1$, and hence, $P_1(M)=M=\pi (s_1,s_2)=\pi (t_1(s_1), s_2)$.
- If $M\ne P_2(M)$, then:
  $$\begin{aligned} P_2(M)= & \, P_2|_{\mathscr {U}_1}(M|_{\mathscr {U}_1}) \oplus P_2|_{\mathscr {U}_2}(M|_{\mathscr {U}_2}) = \pi (M''|_{\mathscr {U}_1}, P''|_{\mathscr {U}_2}(M''|_{\mathscr {U}_2})) \\= & \, \pi (s_1,t_2(s_2)) \end{aligned}$$
- If $M=P_2(M)$, then also $t_2(s_2)=P''|_{\mathscr {U}_2}(M''|_{\mathscr {U}_2})=M''|_{\mathscr {U}_2}=s_2$, and hence, $P_2(M)=M=\pi (s_1,s_2)=\pi (s_1, t_2(s_2))$.

Hence, the item 1 of Definition 12 holds.

Let $P'_1\in \mathscr {P}$ and $M\ne P'_1(M) = \pi (t_1(s_1), s_2)$ for a $t_1=P|_{\mathscr {U}_1}$ for some $P\in \mathscr {P}$. Hence, $P'_1(M) = P|_{\mathscr {U}_1} (M|_{\mathscr {U}_1}) \oplus M|_{\mathscr {U}_2}= (P|_{\mathscr {U}_1}\oplus 1)(M) = t_1(s_1)\oplus 1$. As $t_1\oplus 1=P|_{\mathscr {U}_1}\oplus 1\in \mathscr {P}$ is also a money transformation, it implies by Lemma 2 that $P'_1=t_1\oplus 1$. As for every $s''_2\in S_2$ the money distribution $M'=s_1\oplus s''_2$ differs from $M=s_1\oplus s_2$ only by the elements outside $U_{P'_1}$, it follows from Lemma 1 that $M'\ne P'_1(M') = t_1(s_1)\oplus s''_2$. Hence, the item 2 of Definition 12 holds. The item 3 of Definition 12 is proved similarly.

To prove the only if part, assume that the natural decomposition is atomic. Let $P',P''\in \mathscr {P}$. If $P'|_{\mathscr {U}_1}\oplus P'|_{\mathscr {U}_1} = 1$, then it is an element of $\mathscr {P}$ by definition (Definition 5). If $P'|_{\mathscr {U}_1}\oplus P'|_{\mathscr {U}_1} \ne 1$, and $s_1\in S_1, s_2\in S_2$ are states such that $s_1\oplus s_2\ne P'|_{\mathscr {U}_1}\oplus P''|_{\mathscr {U}_2}(s_1\oplus s_2)$, then by taking $t_1=P'|_{\mathscr {U}_1}\in T_1$ and $t_2=P''|_{\mathscr {U}_2}\in T_2$, it follows from the atomicity (Definition 12) that there exists $P\in \mathscr {P}$ such that $P(s_1\oplus s_2) = t_1(s_1)\oplus t_2(s_2)$. Hence,

$$\begin{aligned} P(s_1\oplus s_2)= & \, P'|_{\mathscr {U}_1}(s_1)\oplus P''|_{\mathscr {U}_2}(s_2) = (P'|_{\mathscr {U}_1}\oplus P''|_{\mathscr {U}_2})(s_1\oplus s_2) \end{aligned}$$

which by Lemma 2 implies $P'|_{\mathscr {U}_1}\oplus P''|_{\mathscr {U}_2}=P\in \mathscr {P}$. $\square $

Definition 15

(Sub-decomposable money scheme) A money scheme $(\mathscr {M},\mathscr {P})$ is sub-decomposable relative to $\mathscr {U}_1$ and $\mathscr {U}_2$ if $\mathscr {P}\subseteq \mathscr {P}'$ for a money scheme $(\mathscr {M},\mathscr {P}')$ the natural decomposition of which is atomic relative to $\mathscr {U}_1$ and $\mathscr {U}_2$.

Theorem 9

A money scheme $(\mathscr {M}, \mathscr {P})$ is sub-decomposable relative to $\mathscr {U}_1$ and $\mathscr {U}_2$ if and only if for every $P\in \mathscr {P}$ and every $M\in \mathscr {M}$ with $M\ne P(M)$ there is a composition $P_1\circ \cdots \circ P_m$ (non-redundant at M) of composition-irreducible payments $P_i$ such that $P_i|_{\mathscr {U}_1}, P_i|_{\mathscr {U}_2}\in \{1,P_i\}$ for every $i\in \{1,\ldots ,m\}$ and $P(M) = (P_1\circ \cdots \circ P_m)(M)$.

Proof

Assume that for every $P\in \mathscr {P}$ and $M\in \mathscr {M}$ with $M\ne P(M)$ there is such a composition $P(M)=(P_1\circ \cdots \circ P_m)(M)$. Note that for every $i\in \{1,\ldots ,m\}$, either

$P_i|_{\mathscr {U}_1} = P_i$ and $P_i|_{\mathscr {U}_2}=1$, and these $P_i$ are called payments of the first type, or
$P_i|_{\mathscr {U}_2} = P_i$ and $P_i|_{\mathscr {U}_1}=1$, and these $P_i$ are called payments of the second type.

As $P_i\circ P_j = P_j\circ P_i$ for every $P_i$ of the first type and $P_j$ of the second type, we can assume without loss of generality that $P_1, \ldots , P_k$ are of first type and $P_{k+1}, \ldots , P_m$ are of second type. It is easy to see that

$$\begin{aligned} P|_{\mathscr {U}_1}(M)= & \, (P_1\circ \cdots \circ P_k)(M)\\ P|_{\mathscr {U}_2}(M)= & \, (P_{k+1} \circ \cdots \circ P_m)(M) \end{aligned}$$

Therefore, $P|_{\mathscr {U}_1}$ and $P|_{\mathscr {U}_2}$ act on any M as compositions of payments and hence, preserve $\sigma (M)$. Moreover, as P is a money transformation, also $P|_{\mathscr {U}_1}$ and $P|_{\mathscr {U}_2}$ are money transformations, and as they preserve $\sigma (M)$ they are payments.

Let $\mathscr {P}^\textsf{uni}_{\mathscr {U}_1,\mathscr {U}_2}\supseteq \mathscr {P}$ be the set of all payments that have such compositions at every money distribution. We proved that, for every $P\in \mathscr {P}^\textsf{uni}_{\mathscr {U}_1,\mathscr {U}_2}$, also $P|_{\mathscr {U}_1}, P|_{\mathscr {U}_2}\in \mathscr {P}^\textsf{uni}_{\mathscr {U}_1,\mathscr {U}_2}$ Moreover, the payments in the composition of $P|_{\mathscr {U}_1}$ can be chosen to be of the first type, for $P|_{\mathscr {U}_2}$, of the second type.

Let $P',P''\in \mathscr {P}^\textsf{uni}_{\mathscr {U}_1,\mathscr {U}_2}$, $M\in \mathscr {M}$ such that $M\ne (P'|_{\mathscr {U}_1}\oplus P''|_{\mathscr {U}_2})(M)$, and $M'=P'|_{\mathscr {U}_1}(M)$. As also $P'|_{\mathscr {U}_1}, P''|_{\mathscr {U}_2}\in \mathscr {P}'$, there are compositions

$$\begin{aligned} P'|_{\mathscr {U}_1}(M)= & \, (P_k\circ \cdots \circ P_1)(M)\\ P''|_{\mathscr {U}_2}(M')= & \, (P_m \circ \cdots \circ P_{k+1})(M'). \end{aligned}$$

As $P'|_{\mathscr {U}_1}$ and $P''|_{\mathscr {U}_2}$ are payments, also $P'|_{\mathscr {U}_1}\oplus P''|_{\mathscr {U}_2}$ is a payment. Moreover

$$\begin{aligned} (P'|_{\mathscr {U}_1}\oplus P''|_{\mathscr {U}_2})(M) = P''|_{\mathscr {U}_2}(P'|_{\mathscr {U}_1}(M)) = (P_m \circ \cdots \circ P_1)(M) \end{aligned}$$

and therefore $P'|_{\mathscr {U}_1}\oplus P''|_{\mathscr {U}_2}\in \mathscr {P}^\textsf{uni}_{\mathscr {U}_1,\mathscr {U}_2}$. Hence, $(\mathscr {M}, \mathscr {P}^\textsf{uni}_{\mathscr {U}_1,\mathscr {U}_2})$ is a money scheme the natural decomposition of which is atomic by Theorem 8.

Assume now that there is a money scheme $(\mathscr {M}, \mathscr {P}')$ with $\mathscr {P}\subseteq \mathscr {P}'$ the natural decomposition of which is atomic. Let $P\in \mathscr {P}$ and $M\ne P(M)$ for an $M\in \mathscr {M}$. From Theorem 8 it follows that $P|_{\mathscr {U}_1}=P|_{\mathscr {U}_1}\oplus 1$ and $P|_{\mathscr {U}_2}=1\oplus P|_{\mathscr {U}_2}$ are payments in $\mathscr {P}'$, and also $P(M)=(P|_{\mathscr {U}_1}\oplus P|_{\mathscr {U}_2})(M)=(P|_{\mathscr {U}_1}\circ P|_{\mathscr {U}_2})(M)$ because of $M\ne P(M)$. Let

$$\begin{aligned} P|_{\mathscr {U}_1}((P|_{\mathscr {U}_2})(M))= & \, (P^{m_1}_1\circ \cdots \circ P^1_1) ((P|_{\mathscr {U}_2})(M))\\ P|_{\mathscr {U}_2}(M)= & \, (P^{m_2}_2\circ \cdots \circ P^1_2)(M) \end{aligned}$$

be any compositions of $P|_{\mathscr {U}_1}$ on $M'=(P|_{\mathscr {U}_2})(M)$ and of $P|_{\mathscr {U}_2}$ on M into composition-irreducible payments $P^i_j$ that exist due to Corollary 4. It is easy to see that these compositions can be chosen in a way that $P^i_1$ do nothing with the units of $\mathscr {U}_2$ and $P^i_2$ do nothing with the units of $\mathscr {U}_1$. Hence, $P^i_1|_{\mathscr {U}_1}=P^i_1$ and $P^i_2|_{\mathscr {U}_2}=P^i_2$. Therefore, $P(M)=(P^{m_1}_1\circ \cdots \circ P^1_1\circ P^{m_2}_2\circ \cdots \circ P^1_2)(M)$ is a composition with the required properties. $\square $

Corollary 10

Every money scheme is sub-decomposable relative to $\mathscr {U}_1,\mathscr {U}_2$ if and only if it is a sub-scheme of $(\mathscr {M},\mathscr {P}^\textsf{uni}_{\mathscr {U}_1,\mathscr {U}_2})$.

Implications

If a composition-irreducible payment P is a zero-creation, a zero-deletion, or a single unit transfer, then $P|_{\mathscr {U}_1}, P|_{\mathscr {U}_2}\in \{1,P\}$, because these payments only involve a single unit.

In practical implementations of money schemes, transfers with recreation and two-unit splits can be organized in a way that the newly created units are always chosen in the same $\mathscr {U}_i$, which guarantees that the condition $P|_{\mathscr {U}_1}, P|_{\mathscr {U}_2}\in \{1,P\}$ holds.

The critical composition-irreducible payments for atomic decomposability are two-unit joins and two-unit swaps (the only composition-irreducible payments with input complexity $\Vert P\Vert _\textsf{in}=2$), where the condition $P|_{\mathscr {U}_1}, P|_{\mathscr {U}_2}\in \{1,P\}$ does not hold if the two involved units are in different $\mathscr {U}_i$. Therefore, the input complexity $\Vert P\Vert _\textsf{in}$ (and not $\Vert P\Vert $) is critical for unitwise atomic decomposability. Some implications:

The complete account money scheme, where payments can be done between any two accounts are not subschemes of money schemes the natural decomposition of which is atomic, because the complete account scheme implements two-unit swaps that involve any pair u, v of units.
The same is true for the complete UTXO money scheme, because it implements two-unit joins that involve any pair u, v of UTXOs.
The bill money scheme itself has unitwise atomic decompositions, as single bill payments have complexity $\Vert P\Vert _\textsf{in} = 1$.

Moreover, the bill money scheme enables total unitwise atomic decomposability where every bill u is maintained in a separate machine and in the blockchain setting in a separate transaction validator that produces the blockchain (ledger) of the bill u in the form:

$$\begin{aligned} (s^u_0,\tau _0,\Pi ^u_0,C_0; (B^u_1,\tau _1, \Pi ^u_1,C_1), (B^u_2,\tau _2, \Pi ^u_2,C_2), \ldots , (B^u_m, \tau _m, \Pi ^u_m,C_m)) , \end{aligned}$$

where $B^u_i$ is either empty or contains a single payment $P^u_i$, and $\Pi ^u_i$ denotes additional information (usually in the form of a hash chain) that helps to verify the blockchain against the certificate $C_i$.

Security of Blockchain Implementations

In the so called permissionless blockchain systems new blocks are verified by thousands of nodes and erroneous blocks in the certified blockchain can be considered as almost impossible. However, permissionless systems tend to be more costly to manage and to have larger $\textrm{CO}_2$ traces compared to permissioned blockchain systems where the number of redundant nodes is much smaller.

Hence, it is probably more efficient to implement Central Bank Digital Currency (CBDC) as a permissioned blockchain system, where new blocks are verified by just a few nodes. However, in this case, due to potential insider threats, erroneous blocks in the blockchain should be considered a possibility.

In the blockchain node (Fig. 3), the transaction validator together with the file repository are modelled as an adversarial entity that may deviate from ledger rules. Misbehavior of a node may be caused by internal attacks by malicious employees of system operators who may also be owners of money.

The practical goal of an attacker is to buy some goods by using falsified electronic cash, so that such a deception remains undetected for certain time sufficient for the attacker to escape. We assume covert adversaries [43, 44] that are considered successful only if their malicious behaviour remains undetected at least for some time. The Certifier (Fig. 3) is guaranteed to create a unique block certificate $C_n$ for every block number n. Adversary has no control over the Certifier that is assumed to be controlled by the central bank.

We assume that a bill payment scheme is used in the CBDC blockchain solution, where every bill u has a bill ledger. At every payment with u, an audit protocol is executed to verify that the bill is properly used, i.e. all the ledger rules are fulfilled. In the sequel, we study two types of audit protocols:

1.
Full audit—guarantees that the ledger rules are followed.
2.
Probabilistic audit—guarantees that any deviation from ledger rules will be detected very soon with high probability.

Rules of a Bill Ledger

Let U be the set of all bills and $\beta _0:U \rightarrow \mathscr {B}$ be a function that defines the initial owner $\beta _0(u)$ of every bill $u\in U$. We assume that both U and $\beta _0$ are verifiably certified by Central Bank and cannot be altered by other parties. Every payment order is in the form $P^u=\langle \iota , b, \lambda , s \rangle $, where $\iota $ is a unique identifier of u, $b\in B$ is the payee identifier, $\lambda $ is a unique identifier of the payment order, and s is a signature of the payer. Every block $B^u_n$ of the bill ledger

$$\begin{aligned} (s^u_0,\tau _0,\Pi ^u_0,C_0; (B^u_1,\tau _1, \Pi ^u_1,C_1), (B^u_2,\tau _2, \Pi ^u_2,C_2), \ldots , (B^u_m, \tau _m, \Pi ^u_m,C_m)), \end{aligned}$$

is either empty, or contains a payment order $P^u_n=\langle \iota , b, \lambda , s \rangle $, where:

1.
$\lambda = H(\iota , \beta _0(u))$ and s is the signature of $\beta _0(u)$ if $P^u_n$ is the first payment with u, where $H:\{0,1\}^*\rightarrow \{0,1\}^k$ is a cryptographic hash function.
2.
$\lambda = H(P^u_{n'})$ and s is the signature of $b'$ if $P^u_{n'}=\langle \iota , b', \lambda ', s' \rangle $ is the payment order contained in the last non-empty block $B^u_{n'}$ in the sequence $B^u_1, \ldots , B^u_{n-1}$.

Hence, the blocks $B^u_{n'+1}, B^u_{n'+2}, \ldots , B^u_{n-2}, B^u_{n-1}$ must be empty. The collision-resistance of H guarantees that $\lambda $ is unique for every payment order.

The certificate $C_n$ contains the block hash $r_n$ and there is a function $F^H$ that uses H as an oracle such that $F^H(u; B^u_n, \Pi ^u_n)=r_n$, and If $R^u\ne \underline{R}^u$ and $F^H(u; B^u, \Pi ^u)=F^H(u; \underline{B}^u, \underline{\Pi }^u)$, then the computations of $F^H$ contain either an H-collision, or an H-pre-image of $0^k$ – a bitstring X such that $H(X)=0^k$. Both are assumed to be infeasible to find for practical hash functions.

User Side Full Audit

The main idea behind the full audit is that every user who has received u with a payment $P^u_{n'}$ and later, at block $n>n'$, uses u in a payment $P^u_n$, verifies that the blocks $B^u_{n'+1}, B^u_{n'+2}, \ldots , B^u_{n-1}$ are empty (Fig. 5).

Full Audit Protocol

Assume that a user has a bill u paid to her with a payment order $P^u_{n'}$ at block $n'$, and that the user’s wallet already contains the certificates $C_0, \ldots , C_{n'}$ that were already verified, the block $B^u_{n'}$, and the proof $\Pi ^u_{n'}$ which also has been verified.

In a block $n>n'$, the user creates a block $B^u_n$ with a new payment order $P^u_n=\langle \iota , b, \lambda , s \rangle $, where $\lambda =H(P^u_{n'})$ and sends it to the transaction validator. User then executes the following full audit protocol:

1.
User requests $C_{n'+1}, \ldots , C_n$ and $\Pi ^u_{n'+1}, \ldots , \Pi ^u_n$ from the file repository.
2.
User verifies $C_{n'+1}, \ldots , C_n$.
3.
User verifies $\Pi ^u_{n'+1}, \ldots , \Pi ^u_n$, assuming that $B^u_{n'+1}, \ldots , B^u_{n-1}$ are empty, i.e. for every $i\in \{n'+1, \ldots , n-1\}$ the user extracts the block hashes $x_i$ from $C_i$ and checks that $F^H(u; \emptyset , \Pi ^u_i)=r_n$.

Security of the Full Audit

Ledger rules violation means inserting a block $\overline{B}^u_i=\{P^u_i\}$ to the ledger, where $P^u_i$ does not properly follow $P^u_{n'}$, e.g. is not signed by $P^u_{n'}.b$. If the full audit at n also verifies, then $F^H(u; B^u_i, \Pi ^u_i) = r_n = F^H(u; \underline{B}^u_i, \underline{\Pi }^u_i)$ and there is a collision for H or an X such that $H(X)=0^k$ (Fig. 6).

Communication Complexity of the Full Audit

Let N be the total number of bills. The size of a proof is $k\cdot \log _2 N$ bits. As we need $n-n'$ proofs during the audit, the total number of bits communicated is $(n-n')\cdot k\cdot \log _2 N$ which may be impractical if $n\gg n'$. Using the probabilistic audit enables to reduce the communication complexity. The idea is that we check a random d-element subset of $B^u_{n'+1}, B^u_{n'+2}, \ldots , B^u_{n-1}$. In the general case, with the bill ledger certification scheme that we described, such an audit is inefficient because the detection probability $\delta $ of one single illegal block is about $\frac{d}{n-n'}$ which means that for a high $\delta $ the number d of detected blocks must be close to $n-n'$. We show that proper ledger certification schemes enable to keep d small.

KSI-Cash Bill Ledger

In this section, we describe the bill ledger certification scheme of the KSI-Cash CBDC solution [1] enables efficient probabilistic audit protocols with d being a fixed constant that only depends on the required detection probability and not on the length $n-n'$ of the auditing interval.

Hash Chains

By a hash chain c we mean a (possibly empty) list $\langle (b_1, y_1), (b_2, y_2), \ldots , (b_\ell , y_\ell ) \rangle $, where $b_i\in \{0,1\}$ and $y_i\in \{0,1\}^k$ for every $i\in \{1, \ldots , \ell \}$. The bitstring $b_1b_2\ldots b_\ell $ is called the shape of c. Every hash chain can be viewed as a function $c:\{0,1\}^k\rightarrow \{0,1\}^k$ defined as follows:

1.
$\langle \rangle (x) = x$ for every $x\in \{0,1\}^k$, where $\langle \rangle $ is the empty list
2.
$\langle c\Vert (b,y)\rangle (x) = \left\{ \begin{array}{ll} H(c(x), y) &{} \text{ if } b=0\\ H(y, c(x)) &{} \text{ if } b=1 \end{array}, \right. $ where $\langle c\Vert (b,y)\rangle $ denotes the list obtained from c by adding (b, y) as the last element.

The Idea of Probabilistic Audit

For every block $B^u_n$, we define the ledger hash $x_n$ that is a function of the previous ledger hash $x_{n-1}$ and the block $B^u_n$. If $B^u_n=\emptyset $, then $x_{n+1}=x_{n}$. Hence, if $B^u_{n'}=\{P^u_{n'}\}$ is the last non-empty block of u, and the current block number is $n-1$, then $x_{n-1} = x_{n-2}=\ldots = x_{n'}$ if ledger is correctly formed. We say that the empty blocks $n'+1, \ldots , n-1$ are consistent with $B^u_{n'}$.

Assume now that an illegal block $B^u_{i}=\{P^u_i\}$ with $n'<i<n-1$ is added to the ledger (Fig. 7) with $P^u_i.\lambda \ne H(P^u_{n'})$, i.e. $P^u_i$ “double-spends" the bill u. Then $x_{i}\ne x_{n'}$ and hence, each of the empty blocks $B^u_{i+1}, B^u_{i+2},\ldots , B^u_{n-1}$ is either consistent with $B^u_{n'}$ or with $B^u_{i}$, but not with both. The empty blocks that are consistent with $B^u_{n'}$ are called black blocks, and the empty blocks that are consistent with $B^u_{i}$ are called white blocks. Hence, each of the blocks $B^u_{i+1}, B^u_{i+2},\ldots , B^u_{n-1}$ is either black or white (Fig. 7).

The next payment $P^u_n$ with u in the block $B^u_n=\{P^u_n\}$ may either refer back to $B^u_{n'}$ (i.e. $P^u_{n}.\lambda = H(P^u_{n'})$) or to $B^u_{i}$ (i.e. $P^u_{n}.\lambda = H(P^u_{i})$). In the former case, during the audit protocol the blocks $B^u_{i+1}, B^u_{i+2},\ldots , B^u_{n-1}$ must be shown to be black, and in the latter case these blocks must be shown to be white. For randomly chosen $j\leftarrow \{i+1, \ldots , n-1\}$, either

The probability that $B^u_j$ is consistent with $B^u_{i}$ is $\le \frac{1}{2}$
The probability that $B^u_j$ is consistent with $B^u_{n'}$ is $\le \frac{1}{2}$

and hence, an audit with one randomly selected block $B^u_j$ in at least one of the two cases succeeds with probability not larger than $\frac{1}{2}$.

Proofs and Ledger Hashes in KSI-Cash

For every $n>0$, a proof $\Pi ^u_{n}$ is a pair $(x_{n-1}^u, c^u_n)$, where $x^u_{i}$ is a ledger hash computed by the rules:

1.
$x^u_0 = 0$
2.
$x^u_i = h_0(x^u_{i-1}, h_D(R^u_{i}))$, where:
- $h_D(X) = H(X)$ if $X\ne \emptyset $, and $h_D(X) = 0$ if $X=\emptyset $
- $h_0(x,y) = H(x,y)$ if $y\ne 0$, and $h_0(x, y) = 0$ if $y=0$

and $c^u_n$ is a hash chain with the shape special to u from $x_n$ to the block hash $r_n$ in $C_n$, i.e. $c^u_n(x_n)=r_n$. The function $F_H$ is defined as follows:

$$\begin{aligned} F^H(u; B, (x, c)) = c(h_0(x, h_D(B))). \end{aligned}$$

Lemma 6 guarantees that two different non-empty blocks $B^u_{n'}$ and $B^u_{n''}$ must have different ledger hashes. If $n'<n''<j$, then the ledger hash $x_{j}$ cannot equal to both $x_{n'}$ and $x_{n''}$ and then by Lemma 7 (proved in [45]), if the block $B^u_j$ is consistent with both $B^u_{n'}$ and $B^u_{n''}$, we have a collision for H.

Lemma 6

If $\emptyset \ne B^u_{n'} \ne B^u_{n''}\ne \emptyset $, then either $x^u_{n'} \ne x^u_{n''}$, or we have an explicit H-collision or a bitstring X such that $H(X)=0$.

Proof

If $x^u_{n'} = x^u_{n''}$, then by definition $h_0(x', h_D(B^u_{n'})) = h_0(x'', h_D(B^u_{n''}))$ for some $x', x''\in \{0,1\}^k$, which by $B^u_{n'}\ne \emptyset $ and $B^u_{n''}\ne \emptyset $ implies $h_0(x', H(B^u_{n'})) = h_0(x'', H(B^u_{n''}))$. If $H(B^u_{n'})=0$ or $H(B^u_{n''})=0$, then we can take $X=B^u_{n'}$ or $X=H(B^u_{n''})$ and have $H(X)=0$. If $H(B^u_{n'})\ne 0\ne H(B^u_{n''})$, then by definition of $h_0$, we have $H(x', H(B^u_{n'})) = H(x'', H(B^u_{n''}))$ and because of $B^u_{n'} \ne B^u_{n''}$, we have a collision for H. $\square $

Lemma 7

If $c^u, {\underline{c}}^u$ are two hash chains with the same u-specific shape, and $c^u(x^u_{n'}) = \underline{c}^u (x^u_{n''})$ and $x^u_{n'}\ne x^u_{n''}$, then we have an explicit H-collision.

Proof

Let $c^u=\langle (b_1, y_1), \ldots , (b_\ell , y_\ell ) \rangle $ and ${\underline{c}}^u=\langle (b_1, y'_1), \ldots , (b_\ell , y'_\ell ) \rangle $ be two hash chains of the same shape. We use induction on $\ell $. If $\ell = 0$, then $c^u=\langle \rangle ={\underline{c}}^u$ and for every $x^u_{n'}\ne x^u_{n''}$, we have $c^u(x^u_{n'}) = x^u_{n'} \ne x^u_{n''}=\underline{c}^u (x^u_{n''})$ and hence, the induction basis trivially holds. Assume now that the statement holds for the chains of length $\ell -1$, for example, for the chains $c=\langle (b_1, y_1), \ldots , (b_{\ell -1}, y_{\ell -1})$ and $c'=\langle (b_1, y'_1), \ldots , (b_{\ell -1}, y_{\ell -1})$. Hence, $c^u=\langle c\Vert (b_\ell ,y_\ell )\rangle $ and ${\underline{c}}^u=\langle c'\Vert (b_\ell ,y'_\ell )\rangle $. If $b_\ell = 1$, then it follows from $c^u(x^u_{n'}) = \underline{c}^u (x^u_{n''})$ that

$$\begin{aligned} H(y_\ell , c(x^u_{n'})) = H(y'_\ell , c'(x^u_{n''})). \end{aligned}$$

(9)

If $c(x^u_{n'})\ne c'(x^u_{n''})$, then (9) represents a collision for H. If $c(x^u_{n'})= c'(x^u_{n''})$, we apply the induction hypothesis to imply that the computations $c(x^u_{n'})$, $c'(x^u_{n''})$ contain an H-collision. The proof for the case $b_\ell = 0$ is similar. $\square $

KSI Cash Bill Ledger Implementation Case Study

Together with the European Central Bank and a group of eight national central banks from the Eurosystem, KSI Cash [1, 46,47,48,49] has been implemented as a proof-of-concept to assess the technological feasibility of a digital euro.

The performance of the technology has been tested exhaustively. With these performance tests, we achieved:

15 thousand transactions per second, under simulation of realistic usage, with 100 million wallets,
up to 2 million payment orders per second, i.e., an equivalent of more than 300,000 transactions per second, in a laboratory setting with the central components of KSI Cash,
an estimated carbon footprint of 0.0001g CO2 per transaction (as compared to: Bitcoin = 100 kg and more [50,51,52]).

For an exhaustive report on the KSI Cash implementation, its data structures and performance test results, see [1].

User Side Probabilistic Audit in KSI-Cash

User has a bill u paid to her with a payment order $P^u_{n'}$ at block $n'$. We assume that user wallet contains the certificates $C_0, \ldots , C_{n'}$ that were already verified, the block $B^u_{n'}$, and the proof $\Pi ^u_{n'}$, that have also been verified. In a block $n>n'$, the user creates a block $B^u_n$ with a new payment order $P^u_n=\langle \iota , b, \lambda , s \rangle $, where $\lambda =H(P^u_{n'})$, sends it to the transaction validator, and initiates the next protocol:

Probabilistic audit protocol:

1.
The user requests and verifies the certificates $C_{n'+1}, \ldots , C_{n}$.
2.
The user generates d random numbers $n_1, \ldots , n_d \in \{n'+1, \ldots , n-1\}$.
3.
The user requests $\Pi ^u_{n_1}=(x'_{n_1}, c^u_{n_1}), \ldots , \Pi ^u_{n_d}=(x'_{n_d}, c^u_{n_d})$ and checks that $x'_{n_1} = \ldots = x'_{n_d}=x^u_{n'}$, and $c^u_{n_1}(x^u_{n'})=r_{n_1}, \ldots , c^u_{n_d}(x^u_{n'})=r_{n_d}$.

Simplistic Security Analysis

Let the ledger be inconsistent already at block $B^u_{n'}$ and there are black blocks and white blocks that are inconsistent with each other (Fig. 8). Therefore:

If the fraction of white blocks between $n'$ and n is $\le \frac{1}{2}$, and the payment $P^u_n$ is “white" ($P^u_n.\lambda = H(P^u_{i})$), then the audit succeeds with probability $\le 2^{-d}$.
If the fraction of black blocks between $n'$ and n is $\le \frac{1}{2}$, and $P^u_n$ is “black" ($P^u_n.\lambda = H(P^u_{n'})$), then the audit succeeds with probability $\le 2^{-d}$.

This analysis is precise only if the two blocks $B^u_{n'}, B^u_{n''}$ are very close, i.e. $n'\approx n''$. In a more realistic scenario, adversary may choose suitable block numbers, for example, by delaying the execution of transactions, to make the success probability of probabilistic audit as high as possible. In the next section, we analyze such a possibility and show that such manipulation is not possible considering the properties of practical money systems.

Security: Alternating Payments Case

First, consider a scenario, where the adversary has to execute black payments and white payments alternatively as shown in Fig. 9. Assume that the bill u have paid to two different honest users b and $b'$ at block $n_0$ and $n_1$, respectively. We assume that the payment to b is already an illegal transaction, i.e. from the block $n_0$ and further, the later blocks (and their certificates) may be consistent with only one branch of the bill ledger. The blocks consistent with the payment to b are said to be black, and the blocks consistent with the payment to $b'$ are said to be white.

Later at block $n_2$, the user b pays u to another user, at block $n_3$ the user $b'$ pays u to another user, and at block $n_4$ the bill u is being paid again. We assume that the adversary can choose the blocks $n_1, n_2, n_3, n_4$ in an appropriate way to hide the inconsistency of the ledger from probabilistic audit.

We assume that there are $N_0=n_1-n_0-1$ between the payments to b and $b'$. Analogously, let $N_1=n_2-n_1-1$, $N_2=n_3-n_2-1$, and $N_3=n_4-n_3-1$ (Fig. 9, upper). Note that all these blocks depicted as grey are either black or white. The color of these blocks can be chosen by the adversary. When the payment is made at the block $n_2$, the adversary is interested that most of the $N_0+N_1$ grey blocks are black, because the payment at $n_2$ is checked to be consistent with the black branch. When the payment is made at $n_3$, the adversary is interested that most of the $N_1+N_2$ blocks are white, and for the payment at $n_4$, most of the $N_2+N_3$ should be black again.

In the general case, the adversary has to execute black and white payments in arbitrary order (Fig. 9, lower), that before the payment that continues the black block at $n_0$ is made at the block $n_2$, some payments continue the white block at $n_1$ and the last such payment happens at the block $n'_1$. We assume that the number of blocks between $n_1$ and $n'_1$ is $N'_0$. It may be that none of such payments happen and then $n'_1=n_1$ and $N'_0=0$, and hence, we have the alternating attack. Analogously, we assume that some payments may continue the black block at $n_2$ and the last such payment happens at the block $n'_2$, etc.

Say the adversary wants that any of the probabilistic test with d samples should succeed with probability $1-\delta $. This means that every single-sample test must succeed with probability $1-\epsilon $, where $(1-\epsilon )^d = (1-\delta )$. For small values of $\epsilon $ and $\delta $ they are related linearly: $\epsilon \approx \frac{\delta }{d}$. We prove in Appendix A that in the general case, the following theorem holds.

Theorem 11

The block numbers $n_i$ chosen by the adversary satisfy the equality

$$\begin{aligned} n_{k+1} - n_0> & \, \left( \frac{1-\epsilon }{\epsilon }\right) ^{k-1} (N_1+N'_1) - \left[ \frac{1-\epsilon }{\epsilon } + \ldots + \left( \frac{1-\epsilon }{\epsilon }\right) ^{k-2} \right] (N_0+N'_0). \end{aligned}$$

Hence, the required delays between payments must grow exponentially, that is clearly not realistic to enforce by adversaries in practice.

Discussion

It is not clear how to use client-side audit in case of account money schemes. We cannot just copy the idea of probabilistic audit of bill ledgers, because of very different ledger rules. Even if the total amount of money is controlled by the Central Bank (via count-certified trees [53], etc.), there is always “money on the fly"—payer account debited but payee account not yet credited. The amount of “money on the fly" gives attackers room for illegal transactions that are hard to detect “on-line". It would be an interesting research question whether there exist efficient probabilistic audit protocols for account money schemes

Scalability is one of the most important design goals not only for CBDCs but for blockchain technology in general. Hence, it would be interesting to study if the algebraic decomposition theory presented in this paper can be generalized to address wider design issues of blockchains.

Conclusions

We showed that efficient decomposability (shardability) of blockchain implementations of electronic money depends on the choice of money scheme and how it is associated with the algebraic structure of the payments. It turned out that the natural decomposition of the money scheme is atomic only if the payments can be represented as compositions of irreducible payments without two-unit swaps and two-unit joins. Bill payments have such representations and therefore, the bill money scheme is atomically decomposable. For account and UTXO payments such representations do not exist and therefore, the natural decompositions of the account and the UTXO money schemes are not atomic. Moreover, these schemes have no atomic decompositions of any kind.

The bill money scheme turns out to be the most natural choice also from the viewpoint of security, because it enables efficient and scalable client-side probabilistic audit of the blockchain.

Notes

References

Buldas A, Draheim D, Gault M, Laanoja R, Nagumo T, Saarepera M, Shah SA, Simm J, Steiner J, Tammet T, Truu A. An ultra-scalable blockchain platform for universal asset tokenization: design and implementation. IEEE Access. 2022;10:77284–77322. https://doi.org/10.1109/ACCESS.2022.3192837
Danezis G, Meiklejohn S. Centrally banked cryptocurrencies. In: Proceedings of NDSS’16—the 23rd annual symposium on network and distributed system security. Reston: The Internet Society; 2016. p. 1–14.
Federal Reserve Bank of Boston and Massachusetts Institute of Technology Digital Currency Initiative: Project Hamilton Phase 1—A High Performance Payment Processing System Designed for Central Bank Digital Currencies. Federal Reserve Bank of Boston, Boston (3 February 2022). https://www.bostonfed.org/-/media/Documents/Project-Hamilton/Project-Hamilton-Phase-1-Whitepaper.pdf. Accessed 26 Mar 2022.
Giesecke+Devrient: G+D Filia—A Digital Complement to Cash. Giesecke+Devrient, Munich, Germany (2021). https://www.gi-de.com/corporate/Payment/Central_Bank_Digital_Currencies/GD_brochure_filia.pdf. Accessed 06 Aug 2022.
Yu G, Wang X, Yu K, Ni W, Zhang JA, Liu RP. Survey: sharding in blockchains. IEEE Access. 2020;8:14155–81. https://doi.org/10.1109/ACCESS.2020.2965147.
Article Google Scholar
Hafid A, Hafid AS, Samih M. Scaling blockchains: a comprehensive survey. IEEE Access. 2020;8:125244–62. https://doi.org/10.1109/ACCESS.2020.3007251.
Article Google Scholar
Luu L, Narayanan V, Zheng C, Baweja K, Gilbert S, Saxena P. A secure sharding protocol for open blockchains. In: Proceedings of CCS’16—the 23rd ACM SIGSAC conference on computer and communications security. New York: 2016; ACM. p. 17–30. https://doi.org/10.1145/2976749.2978389.
Chen H, Wang Y. SSChain: a full sharding protocol for public blockchain without data migration overhead. Pervasive Mob Comput. 2019;59(101055):1–15.
Article Google Scholar
Kokoris-Kogias E, Jovanovic P, Gasser L, Gailly N, Syta E, Ford B. OmniLedger: a secure, scale-out, decentralized ledger via sharding. Cryptol ePrint Arch Rep. 2017;2017(406):1–16.
Google Scholar
Kokoris-Kogias E, Jovanovic P, Gasser L, Gailly N, Syta E, Ford B. OmniLedger: a secure, scale-out, decentralized ledger via sharding. In: Proceedings of S &P’18—the 39th IEEE symposium on security and privacy. New York: IEEE; 2018. p. 583–98. https://doi.org/10.1109/SP.2018.000-5.
Zamani M, Movahedi M, Raykova M. RapidChain: scaling blockchain via full sharding. In: Proceedings of CCS’18—the 25th ACM SIGSAC conference on computer and communications security. New York: ACM; 2018. https://doi.org/10.1145/3243734.3243853.
Dang H, Dinh TTA, Loghin D, Chang E-C, Lin Q, Ooi BC. Towards scaling blockchain systems via sharding. In: Proceedings of SIGMOD’19: the 2019 international conference on management of data. New York: ACM; 2019. p. 123–40. https://doi.org/10.1145/3299869.3319889.
Manuskin A, Mirkin M, Eyal I. Ostraka: secure blockchain scaling by node sharding. In: Proceedings of Euro S &PW’2020—the 2020 IEEE European symposium on security and privacy workshops. New York: IEEE; 2020. p. 397–406. https://doi.org/10.1109/EuroSPW51379.2020.00060.
Stegos AG. A Platform for Privacy Applications, version 1.0. 2019. https://stegos.com/docs/stegos-whitepaper.pdf. Accessed 3 July 2022.
Buterin V. A next generation smart contract and decentralized application platform—Ethereum White Paper. 2015.
Drake J. Ethereum Sharding. 2018. https://youtu.be/J4rylD6w2S4. Accessed 26 Mar 2022.
Wang J, Wang H. Monoxide: scale out blockchains with asynchronous consensus zones. In: Proceedings of NSDI’19—16th USENIX symposium on networked systems design and implementation. USENIX Association, Berkeley. 2019. p. 95–112.
The ZILLIQA Team. The ZILLIQA Technical Whitepaper, Version 0.1. 2017. https://docs.zilliqa.com/whitepaper.pdf. Accessed 3 July 2022.
Harmony Team. Harmony Technical Whitepaper, Version 2.0. 2018. https://harmony.one/whitepaper.pdf. Accessed 3 July 2022.
Hafid A. Probabilistic models to analyze the security of sharding-based blockchain protocols. PhD thesis, University of Mulay Ismail, University of Montreal. 2021.
Al-Bassam M, Sonnino A, Bano S, Hrycyszyn D, Danezis G. Chainspace: a sharded smart contracts platform. In: Proceedings of NDSS’18—the 25th annual network and distributed system security symposium. The Internet Society, Reston. 2018.
Sohrabi N, Tari Z. ZyConChain: a scalable blockchain for general applications. IEEE Access. 2020;8:158893–910. https://doi.org/10.1109/ACCESS.2020.3020319.
Article Google Scholar
Du M, Chen Q, Ma X. MBFT: a new consensus algorithm for consortium blockchain. IEEE Access. 2020;8:87665–75. https://doi.org/10.1109/ACCESS.2020.2993759.
Article Google Scholar
Chan WK, Chin J-J, Goh VT. Simple and scalable blockchain with privacy. J Inf Secur Appl. 2021;58(102700):1–11.
Google Scholar
Singh A, Click K, Parizi RM, Zhang Q, Dehghantanha A, Choo K-KR. Sidechain technologies in blockchain networks: an examination and state-of-the-art review. J Netw Comput Appl. 2020;1491(102471):1–16.
Google Scholar
Meiklejohn S, Orlandi C. Privacy-enhancing overlays in Bitcoin. In: Proceedings of FC’2015—the 19th international conference on financial cryptography and data security. Lecture notes in computer science, vol 8976. Berlin: Springer; 2015. p. 127–141. https://doi.org/10.1007/978-3-662-48051-9_10.
Chakravarty MMT, Chapman J, MacKenzie K, Melkonian O, Peyton Jones M, Wadler P. The extended UTXO model. In: Financial cryptography and data security. Lecture Notes in Computer Science, vol 12063. Berlin: Springer; 2020. p. 525–39.
Gabbay MJ. Algebras of UTxO blockchains. Math Struct Comput Sci. 2021;31:1034–89.
Article MathSciNet MATH Google Scholar
Brünjes L, Gabbay MJ. UTxO- vs account-based smart contract blockchain programming paradigms. In: Proceeding of ISOLA’2020—the 9th international symposium on leveraging applications of formal methods, verification and validation. Lecture Notes in Computer Science, vol 12478. Berlin: Springer; 2020. p. 73–88.
Reynolds JC. Separation logic: a logic for shared mutable data structures. In: Proceedings of LICS’2002—the 17th IEEE symposium on logic in computer science. New York: IEEE; 2002. p. 55–74.
Milner R. Communicating and mobile systems: the $\pi $-calculus. Cambridge: Cambridge University Press; 1999.
MATH Google Scholar
Gabbay MJ. A theory of inductive definitions with $\alpha $-equivalence—semantics, implementation, programming language. PhD thesis, DPMMS and Trinity College, Cambridge University. 2000.
Gabbay MJ, Pitts AM. A new approach to abstract syntax with variable binding. Formal Aspects Comput. 2001;13(3–5):341–63.
MATH Google Scholar
Gabbay MJ, Ghica DR, Petrisan D. Leaving the nest: nominal techniques for variables with interleaving scopes. In: Proceeeding of CSL’2015—the 4th EACSL annual conference on computer science logic. Leibniz International Proceedings in Informatics, vol 41. Leibniz-Zentrum für Informatik: Dagstuhl Publishing, Dagstuhl; 2015. p. 374–89.
Gabbay MJ. Equivariant ZFA and the foundations of nominal techniques. J Log Comput. 2020;30:525–48.
Article MathSciNet MATH Google Scholar
Nester C. A foundation for ledger structures. In: Proceedings of Tokenomics 2020—the 2nd international conference on blockchain economics, security and protocols. Open Access Series in Informatics, vol. 82. Dagstuhl: Leibniz-Zentrum für Informatik, Dagstuhl Publishing; 2021, p. 7–1713.
Coecke B, Fritz T, Spekkens RW. A mathematical theory of resources. Inf Comput. 2016;250:59–86.
Article MathSciNet MATH Google Scholar
McCurdy MB. Graphical methods for Tannaka duality of weak bialgebras and weak Hopf algebras. Theory Appl Categ. 2012;26(9):233–80.
MathSciNet MATH Google Scholar
Selinger P. A survey of graphical languages for monoidal categories. In: New structures for physics. Lecture notes in physics, vol 813. Berlin: Springer; 2010. p. 289–355.
Valliappan N, Mirliaz S, Lobo Vesga E, Russo A. Towards adding variety to simplicity. In: Proceedings of ISoLA’2018—the 8th international symposium on leveraging applications of formal methods, verification and validation. Lecture notes in computer science, vol 11247. Berlin: Springer; 2018. p. 414–31. https://doi.org/10.1109/Cybermatics_2018.2018.00189.
Buldas A, Saarepera M, Steiner J, Draheim D. A unifying theory of electronic money and payment systems. TechRxiv. 2021. https://doi.org/10.36227/techrxiv.14994558.
Buldas A, Draheim D, Saarepera M. Secure and efficient implementation of electronic money. In: Proceedings Fof FDSE’2022—the 9th international conference future data and security engineering. communications in computer and information science, vol 1688. Berlin: Springer; 2022. p. 34–51. https://doi.org/10.1007/978-981-19-8069-5_3.
Aumann Y, Lindell Y. Security against covert adversaries: efficient protocols for realistic adversaries. In: Vadhan SP, editor. Proceedings of TCC’2007—the 4th theory of cryptography conference. Lecture notes in computer science, vol 4392. Berlin: Springer; 2007. p. 137–156.
Aumann Y, Lindell Y. Security against covert adversaries: efficient protocols for realistic adversaries. J Cryptol. 2007;23(2):281–343.
Article MathSciNet MATH Google Scholar
Buldas A, Niitsoo M. Optimally tight security proofs for hash-then-publish time-stamping. In: Information security and privacy—ACISP 2010. Lecture notes in computer science, vol 6168. Berlin: Springer; 2010. p. 318–35.
European Central Bank, Eesti Pank, Bank of Greece, Deutsche Bundesbank, Central Bank of Ireland, Banco de España, Latvijas Banka, Banca d’Italia, De Nederlandsche Bank: Work Stream 3: A New Solution – Blockchain & eID. July 2021. Accessed 28 Mar 2022. https://www.ecb.europa.eu/paym/digital_euro/investigation/profuse/shared/files/deexp/ecb.deexp211011_3.en.pdf. Accessed 28 Mar 2022. https://haldus.eestipank.ee/sites/default/files/2021-07/Work stream 3-A New Solution-BlockchainandeID_1.pdf.
Olt R, Meidla T, Ilves L, Steiner J. Summary report: results of the Eesti Pank—Guardtime CBDC Research. Eesti Pank, Guardtime, Tallinn. 2021. https://haldus.eestipank.ee/sites/default/files/2021-12/EP-Guardtime_CBDC_Research_2021_eng.pdf. Accessed 11 Mar 2022.
Buldas A, Saarepera M, Steiner J, Ilves L, Olt R, Meidla T. Formal model of money schemes and their implications for central bank digital currency. Eesti Pank, Guardtime, Tallinn. 2021. https://haldus.eestipank.ee/sites/default/files/2021-12/EP-A_Formal_Model_of_Money_2021_eng.pdf. Accessed: 11 Mar 2022.
Eesti Pank. Eesti Pank Ran an Experiment to Investigate the Technological Possibilities of a Central Bank Digital Currency Based on Blockchain, Eesti Pank. 2021. https://www.eestipank.ee/en/press/eesti-pank-ran-experiment-investigate-technological-possibilities-central-bank-digital-currency-13122021. Accessed 11 Mar 2022.
Foteinis S. Bitcoin’s alarming carbon footprint. Nature. 2018;554:169.
Article Google Scholar
Sandner P, Lichti C, Heidt C, Richter R, Schaub B. The carbon emissions of bitcoin from an investor perspective. Frankfurt: Frankfurt School Blockchain Center; 2021.
Google Scholar
Trespalacios JP, Dijk J. The Carbon Footprint of Bitcoin. De Nederlandsche Bank, Amsterdam. 2021. https://www.dnb.nl/media/1ftd2xjl/the-carbon-footprint-of-bitcoin.pdf. Accessed 29 Mar 2022.
Buldas A, Laur S. Knowledge-binding commitments with applications in time-stamping. In: Okamoto T, X W, editors. Proceedings of PKC’2007—the 10th international conference on practice and theory in public-key cryptography. Lecture notes in computer science, vol 4450. Berlin: Springer; 2007. p. 150–65.

Download references

Author information

Dirk Draheim and Märt Saarepera have contributed equally to this work.

Authors and Affiliations

Centre for Digital Forensics and Cyber Security, Tallinn University of Technology, Akadeemia tee 15a, 12618, Tallinn, Estonia
Ahto Buldas
Information Systems Group, Tallinn University of Technology, Akadeemia tee 15a, 12618, Tallinn, Estonia
Dirk Draheim
Guardtime, A. H. Tammsaare tee 60, 11316, Tallinn, Estonia
Ahto Buldas & Märt Saarepera

Authors

Ahto Buldas
View author publications
You can also search for this author in PubMed Google Scholar
Dirk Draheim
View author publications
You can also search for this author in PubMed Google Scholar
Märt Saarepera
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ahto Buldas.

Ethics declarations

Conflict of interest

On behalf of all authors, the corresponding author states that there is no conflict of interest.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

This article is part of the topical collection “Future Data and Security Engineering 2022” guest edited by Tran Khanh Dang.

Appendices

Appendix A: Proof of Theorem 11

To prove the statement of Theorem 11, we first go through the cases with small k and then prove Lemma 8 that generalizes the argumentation to arbitrary k.

For the probabilistic audit at $n_2$ to succeed with probability $1-\epsilon $, at least $(1-\epsilon )(N_0+N'_0+N_1)$ grey blocks between $n_0$ and $n_2$ must be black, hence there must be no more than $\epsilon (N_0+N'_0+N_1)$ white blocks between $n_0$ and $n_2$ (excluding the blocks at $n_1$ and $n'_1$).

For the probabilistic audit at $n_3$ to succeed with probability $1-\epsilon $, at least $(1-\epsilon )(N_1+N'_1+N_2)$ grey blocks between $n'_1$ and $n_3$ must be white. As between $n'_1$ and $n_2$ the number of white blocks does not exceed $\epsilon (N_0+N'_0+N_1)$, and the number of white blocks between $n_2$ and $n'_2$ does not exceed $\epsilon N'_1$, there has to be at least

$$\begin{aligned} (1-\epsilon )(N_1+N'_1+N_2)- \epsilon (N_0+N'_0+N_1+N'_1) \end{aligned}$$

white blocks between $n'_2$ and $n_3$. This number cannot exceed $N_2$. Therefore $ N_2 \ge (1-\epsilon )(N_1+N'_1+N_2)- \epsilon (N_0+N'_0+N_1+N'_1) $ and hence

$$\begin{aligned} N_1+N'_1+N_2 \ge \frac{1-\epsilon }{\epsilon } (N_1 + N'_1) - (N_0+N'_0). \end{aligned}$$

(10)

For the probabilistic audit at $n_4$ to succeed with probability $1-\epsilon $, at least $(1-\epsilon )(N_2+N'_2+N_3)$ grey blocks between $n'_2$ and $n_4$ must be black. As there are at least $(1-\epsilon )(N_1+N'_1+N_2)- \epsilon (N_0+N'_0+N_1+N'_1)$ white blocks between $n'_2$ and $n_3$, the number of black blocks between $n'_2$ and $n_3$ cannot exceed

$$\begin{aligned}{} & \, N_2 - (1-\epsilon )(N_1+N'_1+N_2)+ \epsilon (N_0+N'_0+N_1+N'_1)\\{} & \, \quad = \epsilon (N_0+N'_0+N_1 + N'_1 + N_2 ) - (1-\epsilon )(N_1+N'_1), \end{aligned}$$

and the number of black blocks between $n_3$ and $n'_3$ does not exceed $\epsilon N'_2$, there have to be at least

$$\begin{aligned} R_3= & \, (1-\epsilon )(N_2+N'_2+N_3) - \epsilon (N_0+N'_0+N_1 + N'_1 + N_2+N'_2 ) + (1-\epsilon )(N_1+N'_1)\\= & \, (1-\epsilon )(N_1+N'_1+N_2+N'_2+N_3) - \epsilon (N_0+N'_0+N_1 + N'_1 + N_2+N'_2 ) \end{aligned}$$

black blocks between $n'_3$ and $n_4$. This number cannot exceed $N_3$ and hence $N_3\ge (1-\epsilon )(N_2+N'_2+N_3) - \epsilon (N_0+N'_0+N_1 + N'_1 + N_2+N'_2 ) + (1-\epsilon )(N_1+N'_1)$. Therefore:

$$\begin{aligned} N_1 + N'_1 + N_2+N'_2 +N_3&\ge \, \frac{1-\epsilon }{\epsilon } (N_1+N'_1+N_2+N'_2) - (N_0+N'_0)\\ &\ge \, \frac{1-\epsilon }{\epsilon } (N_1+N'_1+N_2) - (N_0+N'_0)\\ &= \, \left( \frac{1-\epsilon }{\epsilon }\right) ^2 (N_1+N'_1) - \left[ 1 + \frac{1-\epsilon }{\epsilon }\right] (N_0+N'_0) . \end{aligned}$$

Lemma 8

For every $k\ge 2$, the number of right color blocks (for the audit at $n_{k+1}$) between $n'_{k}$ and $n_{k+1}$ must be at least

$$\begin{aligned} R_k=(1-\epsilon )(N_1 + N'_1 + \ldots + N_{k-1} + N'_{k-1} + N_k) - \epsilon (N_0 + N'_0 + \ldots + N_{k-1} + N'_{k-1}) \end{aligned}$$

and

$$\begin{aligned} &N_1+{} \, N'_1 +\ldots + N_{k-1} + N'_{k-1} + N_k \\ & \quad \ge \, \left( \frac{1-\epsilon }{\epsilon }\right) ^{k-1} (N_1+N'_1) - \left[ 1+ \frac{1-\epsilon }{\epsilon } + \ldots + \left( \frac{1-\epsilon }{\epsilon }\right) ^{k-2} \right] (N_0+N'_0). \end{aligned}$$

Proof

We use induction on k. The case $k=2$ follows from equation (10). Assume that $k\ge 3$ the statement holds for $k-1$, i.e. the number of right color blocks (for the audit at $n_{k}$) between $n'_{k-1}$ and $n_{k}$ must be at least

$$\begin{aligned} R_{k-1}=(1-\epsilon )(N_1 + N'_1 + \ldots + N_{k-2} + N'_{k-2} + N_{k-1}) - \epsilon (N_0 + N'_0 + \ldots + N_{k-2} + N'_{k-2}) \end{aligned}$$

and

$$\begin{aligned} & N_1+{} \, N'_1 +\ldots + N_{k-2} + N'_{k-2} + N_{k-1} \ge \\ &\quad \ge \, \left( \frac{1-\epsilon }{\epsilon }\right) ^{k-2} (N_1+N'_1) - \left[ 1+ \frac{1-\epsilon }{\epsilon } + \ldots + \left( \frac{1-\epsilon }{\epsilon }\right) ^{k-3} \right] (N_0+N'_0). \end{aligned}$$

For the audit at $n_{k+1}$ to succeed with probability $1-\epsilon $, at least $(1-\epsilon )(N_{k-1}+N'_{k-1}+N_k)$ grey blocks between $n'_k$ and $n_{k+1}$ must be of the right color. As there are at least $R_{k-1}$ wrong color blocks between $n'_{k-1}$ and $n_{k}$, the number of right color blocks between $n'_{k-1}$ and $n_{k}$ cannot exceed

$$\begin{aligned} N_{k-1}-R_{k-1}&= \, N_{k-1} - (1-\epsilon )(N_1 + N'_1 + \ldots + N_{k-2} + N'_{k-2} + N_{k-1}) \\ & \quad + \epsilon (N_0 + N'_0 + \ldots + N_{k-2} + N'_{k-2})\\ &= \, \epsilon (N_0 + N'_0 + \ldots + N_{k-2} + N'_{k-2} + N_{k-1}) \\ & \quad - (1-\epsilon )(N_1 + N'_1 + \ldots + N_{k-2} + N'_{k-2}) , \end{aligned}$$

and the number of right color blocks between $n_k$ and $n'_k$ does not exceed $\epsilon N'_{k-1}$, there has to be at least

$$\begin{aligned} R_k= & \, (1-\epsilon )(N_{k-1}+N'_{k-1}+N_k) - (N_{k-1}-R_{k-1}) - \epsilon N'_{k-1}\\= & \, (1-\epsilon )(N_{k-1}+N'_{k-1}+N_k) - \epsilon (N_0 + N'_0 + \ldots + N_{k-2} + N'_{k-2} + N_{k-1}) + \\{} & \, \hspace{99.58464pt}+ (1-\epsilon )(N_1 + N'_1 + \ldots + N_{k-2} + N'_{k-2}) - \epsilon N'_{k-1}\\= & \, (1-\epsilon )(N_1 + N'_1 + \ldots + N_{k-1}+N'_{k-1}+N_k)- \\{} & \, \hspace{162.18062pt}-\epsilon (N_0 + N'_0 + \ldots + N_{k-1} + N'_{k-1}) \end{aligned}$$

right color blocks between $n'_k$ and $n_{k+1}$. This number cannot exceed $N_k$ and hence, $N_k\ge (1-\epsilon )(N_1 + N'_1 + \ldots + N_{k-1}+N'_{k-1}+N_k)- \epsilon (N_0 + N'_0 + \ldots + N_{k-1} + N'_{k-1})$. Therefore

$$\begin{aligned} & N_1 +{} \, N'_1 + \ldots + N_{k-1}+N'_{k-1} +N_k \\ &\quad \ge , \frac{1-\epsilon }{\epsilon } (N_1+N'_1+ \ldots + N_{k-2} +N'_{k-2}+ N_{k-1}+N'_{k-1}) - (N_0+N'_0)\\ &\quad \ge \frac{1-\epsilon }{\epsilon } (N_1+N'_1+ \ldots + N_{k-2} +N'_{k-2}+ N_{k-1}) - (N_0+N'_0)\\ &\quad = \, \left( \frac{1-\epsilon }{\epsilon }\right) ^{k-1} (N_1+N'_1) - \left[ 1+ \frac{1-\epsilon }{\epsilon } + \ldots + \left( \frac{1-\epsilon }{\epsilon }\right) ^{k-2} \right] (N_0+N'_0) . \end{aligned}$$

This completes the induction. $\square $

Hence, from Lemma 8, the statement of Theorem 11 follows:

$$\begin{aligned} n_{k+1} - n_0> & \, N_0 + N'_0 + N_1 + N'_1 + \ldots + N_{k-1}+N'_{k-1} +N_k \\\ge & \, \left( \frac{1-\epsilon }{\epsilon }\right) ^{k-1} (N_1+N'_1) - \left[ \frac{1-\epsilon }{\epsilon } + \ldots + \left( \frac{1-\epsilon }{\epsilon }\right) ^{k-2} \right] (N_0+N'_0). \end{aligned}$$

Appendix B: The Category of Partial Implementations

Objects of the category are transition systems $M=(S,T)$ with units $1=1_S\in T$, i.e. machines. The morphisms from $M_1=(S_1,T_1)$ to $M_2=(S_2,T_2)$ are partial implementations, i.e. functions $f:S_1\rightarrow S_2$ such that for every $s_1\in S_1$ and $t_2\in T_2$, there exists $t_1\in T_1$ such that $f(t_1(s_1)) = t_2(f(s_1))$. The composition gf of two morphisms is their composition $g\circ f$ as functions.

Lemma 9

The composition gf of morphisms g and f is a morphism.

Proof

Let $M_1=(T_1,S_1)$, $M_2=(T_2,S_2)$, and $M_3=(S_3,T_3)$ be machines, and let $f:S_1\rightarrow S_2$, $g:S_2\rightarrow S_3$ be morphisms. Let $t_3\in T_3$, $s_1\in S_1$, and $s_2=f(s_1)$. As g is a morphism, there exists $t_2\in T_2$ such that $g(t_2(s_2)) = t_3(g(s_2))$, and as f is a morphism, there exists $t_1\in T_1$ such that $f(t_1(s_1)) = t_2(f(s_1))$. Therefore,

$$\begin{aligned} (gf)(t_1(s_1)) = g(t_2(f(s_1))) = t_3(g(f(s_1))) = t_3((gf)(s_1)) \end{aligned}$$

and hence gf is a morphism. $\square $

An object (S, T) is called trivial if $T=\{1\}$, and full if $T=S^S$, where $S^S$ is the set of all functions $S\rightarrow S$.

Lemma 10

If $M_1=(S_1,T_1)$, $M_2=(S_2,T_2)$ are machines, and $M_2$ is trivial, then every function $f:S_1\rightarrow S_2$ is a morphism.

Proof

Let $s_1\in S_1$ and $t_2\in T_2$. Hence, $t_2=1$ by the triviality of $M_2$. If $t_1=1\in T_1$, then $f(t_1(s_1)) = f(s_1) = 1(f(s_1)) = t_2(f(s_1))$ and hence, f is a morphism. $\square $

Lemma 11

If $M_1=(S_1,T_1)$, $M_2=(S_2,T_2)$ are machines, and $M_1$ is full, then every bijective function $f:S_1\rightarrow S_2$ is a morphism.

Proof

Let $s_1\in S_1$ and $t_2\in T_2$. As f is bijective, $t_1=f^{-1}\circ t_2\circ f\in S_1^{S_1}=T_1$. Hence, $f(t_1(s_1)) = f((f^{-1}\circ t_2\circ f)(s_1)) = t_2(f(s_1))$ and f is thereby a morphism. $\square $

Lemma 12

A morphism f is an epimorphism iff f is surjective.

Proof

Let $M_1=(S_1,T_1)$, $M_2=(S_2,T_2)$ and f be a morphism from $M_1$ to $M_2$. If f is surjective then for every $s_2\in S_2$, there is $s_1\in S_1$ such that $s_2=f(s_1)$. Hence, if $gf = g'f$ for morphisms $g,g'$, then $g(s_2) = g(f(s_1)) = g'(f(s_1)) = g'(s_2)$ and therefore $g=g'$ and f is an epimorphism.

Let f be an epimorphism that is not surjective and $s\in S_2\backslash \,f(S_1)$. We choose $M_3=(S_3,T_3)$ to be a trivial object with $\Vert S_3\Vert \ge 2$ and $g,g'$ be functions from $S_2$ to $S_3$ the values of which only differ at s, i.e. $g(s)\ne g'(s)$ but $g(s')=g'(s')$ for every $s\ne s'\in S_2$. Then $g f = g'f$, $g\ne g'$, and $g,g'$ are morphisms by Lemma 10. A contradiction. $\square $

Lemma 13

A morphism f is a monomorphism iff f is injective.

Proof

Let $M_2=(S_2,T_2)$, $M_3=(S_3,T_3)$ and f be a morphism from $M_2$ to $M_3$. If f is injective and g is a morphism such that $fg = fg'$, then $f(g(s)) = f(g'(s))$ and hence $g(s)=g'(s)$ for every s which means that $g=g'$.

If f is a monomorphism that is not injective, i.e. there exist $s,s'\in S_2$ such that $s\ne s'$ and $f(s)=f(s')$. Choose $S_1=S_2$ and $T_1=S_2^{S_2}$, i.e. $M_1=(S_1,T_1)$ is a full object. Let $g=1_{S_2}$ and $g'=(ss')$ be a transposition that swaps s and $s'$. Then $g,g'$ are bijective, $fg=fg'$, $g\ne g'$, and $g,g'$ are morphisms by Lemma 11. A contradiction. $\square $

In category theory, an object D is said to be a product of objects $M_1, M_2$, if there exist two morphisms $D{\mathop {\rightarrow }\limits ^{\pi _1}} M_1$ and $D{\mathop {\rightarrow }\limits ^{\pi _2}} M_2$ such that for every object M and every two morphisms $M{\mathop {\rightarrow }\limits ^{f_1}} M_1$ and $M{\mathop {\rightarrow }\limits ^{f_2}} M_2$ there exists a unique morphism $M{\mathop {\rightarrow }\limits ^{f}} D$ such that $f_1=\pi _1 f$ and $f_2=\pi _2 f$.

In the category of sets and functions, the product is the direct (Cartesian) product, i.e. if $S_1, S_2$ are sets then $D=S_1\times S_2=\{(s_1,s_2):s_1\in S_1, \, s_2\in S_2\}$. The maps $\pi _1:S_1\times S_2 \rightarrow S_1$ and $\pi _2:S_1\times S_2 \rightarrow S_2$ are defined so that $\pi _1(s_1,s_2) = s_1$ and $\pi _2(s_1,s_2) = s_2$. The unique function $f:S\rightarrow D$ is defined by $f(s)=(f_1(s), f_2(s))$.

The direct product construction can be generalized to the category of machines and partial implementations, so that the direct product of $M_1=(S_1,T_1)$ and $M_2=(S_2,T_2)$ is $D=(S_1\times S_2, T_1\times T_2)$, and the functions $\pi _1,\pi _2$ are the same as in the category of sets and functions and it is easy to see that they are morphisms of the category of machines and partial implementations.

Partial implementations are also functions, and hence for every machine $M=(S,T)$ and two morphisms $M{\mathop {\rightarrow }\limits ^{f_1}} M_1$, $M{\mathop {\rightarrow }\limits ^{f_2}} M_2$ there is a unique function $f:S\rightarrow S_1\times S_2$ such that $f_1=\pi _1 f$ and $f_2=\pi _2 f$, where $f(s)=(f_1(s), f_2(s))$ for every $s\in S$. However, the function f is not always a morphism in the category of machines and partial implementations. Let:

$M=(S,T)$, where $S=\{s,s',s''\}$ and $T=\{1,t'_1,t'_2\}$
$M_1=(S_1,T_1)$, where $S_1=\{s_1,s'_1,s''_1\}$ and $T_1=\{1,t_1\}$,
$M_2=(S_2,T_2)$, where $S_2=\{s_2,s'_2,s''_2\}$ and $T_2=\{1,t_2\}$
$t_1=\{(s_1,s'_1),(s'_1,s'_1),(s''_1,s''_1)\}$, $t_2=\{(s_2,s'_2),(s'_2,s'_2),(s''_2,s''_2)\}$
$t'_1=\{(s,s'),(s',s'),(s'',s'')\}$, $t'_2=\{(s,s''),(s',s'),(s'',s'')\}$,
$f_1=\{(s,s_1),(s',s'_1),(s'',s''_1)\}$, and $f_2=\{(s,s_2),(s',s'_2),(s'',s''_2)\}$.

It is easy to see that $f_1, f_2$ are morphisms, but the function $f:S\rightarrow S_1\times S_2$ defined by $f(s)=(f_1(s),f_2(s))$ is not a morphism, because for a transition $(t_1,t_2)\in T_1\times T_2$ there is no $t\in T$ such that $f(t(s)) =(t_1,t_2)(f(s))$. Indeed:

$f(t'_1(s)) = (s'_1,s''_2)\ne (s'_1,s'_2)=(t_1(f_1(s)),t_2(f_2(s)))=(t_1,t_2)(f(s))$
$f(t'_2(s)) = (s''_1,s'_2)\ne (s'_1,s'_2)$
$f(1(s)) = (s_1,s_2)\ne (s'_1,s'_2)$

This means that in the category of machines and partial implementations, not every two objects have a product.

Rights and permissions

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.

Reprints and permissions

About this article

Cite this article

Buldas, A., Draheim, D. & Saarepera, M. A Theory of Secure and Efficient Implementation of Electronic Money. SN COMPUT. SCI. 4, 861 (2023). https://doi.org/10.1007/s42979-023-02232-y

Download citation

Received: 30 April 2023
Accepted: 30 July 2023
Published: 08 November 2023
DOI: https://doi.org/10.1007/s42979-023-02232-y

Keywords

Use our pre-submission checklist

Avoid common mistakes on your manuscript.

A Theory of Secure and Efficient Implementation of Electronic Money

Abstract

Similar content being viewed by others

Secure and Efficient Implementation of Electronic Money

Blockchain of Cryptocurrency Using a Proof-of-Work-Based Consensus Algorithm with an SHA-256 Hash Algorithm to Make Secure Payments

A proposal for a layer-2 CBDC on a rollup

Introduction

Related Work

Central Bank Digital Currencies

Relevant Blockchain Technologies

The Extended UTXO Model

Formal Models of Blockchain Technology

Money Schemes

Money Distributions

Money Transformations and Payments

Definition 1

Lemma 1

Proof

Lemma 2

Proof

Lemma 3

Proof

Definition 2

Definition 3

Definition 4

Money Schemes

Definition 5

Lemma 4

Proof

Definition 6

Categorization of Money Schemes by Invariance

Descriptional Complexity of Payments

Definition 7

Theorem 1

Proof

Corollary 2

Definition 8

Theorem 3

Proof

Corollary 4

Proof

Implementations of Money Schemes

Definition 9

Definition 10

Definition 11

Blockchain Implementations

Atomic Decomposition of Money Schemes

Definition 12

Definition 13

Lemma 5

Proof

Theorem 5

Proof

Theorem 6

Proof

Unitwise Decompositions of Money Schemes

Notations and Definition

Definition 14

Theoretical Results about Unitwise Decompositions

Theorem 7

Proof

Theorem 8

Proof

Definition 15

Theorem 9

Proof

Corollary 10

Implications

Security of Blockchain Implementations

Rules of a Bill Ledger

User Side Full Audit

Full Audit Protocol

Security of the Full Audit

Communication Complexity of the Full Audit

KSI-Cash Bill Ledger

Hash Chains

The Idea of Probabilistic Audit

Proofs and Ledger Hashes in KSI-Cash

Lemma 6

Proof